Overview

overview

10

Static

static

1

windows.ps1

windows10-1703-x64

10

windows.ps1

windows10-2004-x64

10

windows.ps1

windows11-21h2-x64

10

Analysis

  • max time kernel
    362s
  • max time network
    1183s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/07/2024, 11:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    421B

  • MD5

    d5684c541008779669644c15a23adaca

  • SHA1

    9250b10b96a788dcc595b998915fa4dd1de25332

  • SHA256

    e92cb9de85087f31c7d038e0c2b59c80e05f8c53d5bcc2a5ebf38f9da13b4f5e

  • SHA512

    2f7f6f89418cf93335154b3961362071dfa77b41858e09ce0745c8813c21748880a24a2388b771e8e7909e76902cd83cacdf89279617b335a068c8bbc40a4ef3

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
      "C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 47T6dQJWm8NARismX3UU1XNkUmi83FFdW7EWfszvkxk1WANdBBJpFHh4jK58MjyLd1UsLRRGsWDCBfVtkrEukhbM6gN9LPY -p Windows --cpu-priority 5
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1580

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjs4cqst.rsb.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
          Filesize

          6.1MB

          MD5

          c0f8959614ae06561216158d78a787e5

          SHA1

          73167d1fd0cee1c96a6505606d21cbfe4369eb00

          SHA256

          e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0

          SHA512

          a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746

          Download Submit

        • memory/1572-61-0x000001999D510000-0x000001999D51A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1572-5-0x000001999D380000-0x000001999D3A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1572-10-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1572-8-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1572-25-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1572-48-0x000001999D5B0000-0x000001999D5C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1572-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1572-9-0x000001999D530000-0x000001999D5A6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1572-91-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1572-90-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1580-89-0x0000021E73220000-0x0000021E73260000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1580-88-0x0000021E717F0000-0x0000021E71810000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1580-93-0x0000021E73260000-0x0000021E73280000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1580-92-0x0000021E731E0000-0x0000021E73200000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1580-94-0x0000021E731E0000-0x0000021E73200000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1580-95-0x0000021E73260000-0x0000021E73280000-memory.dmp

          Filesize

          128KB

          Download