Overview

overview

10

Static

static

1

windows.ps1

windows10-1703-x64

10

windows.ps1

windows10-2004-x64

10

windows.ps1

windows11-21h2-x64

10

Analysis

  • max time kernel
    1631s
  • max time network
    1799s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/07/2024, 17:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    421B

  • MD5

    d5684c541008779669644c15a23adaca

  • SHA1

    9250b10b96a788dcc595b998915fa4dd1de25332

  • SHA256

    e92cb9de85087f31c7d038e0c2b59c80e05f8c53d5bcc2a5ebf38f9da13b4f5e

  • SHA512

    2f7f6f89418cf93335154b3961362071dfa77b41858e09ce0745c8813c21748880a24a2388b771e8e7909e76902cd83cacdf89279617b335a068c8bbc40a4ef3

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
      "C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 47T6dQJWm8NARismX3UU1XNkUmi83FFdW7EWfszvkxk1WANdBBJpFHh4jK58MjyLd1UsLRRGsWDCBfVtkrEukhbM6gN9LPY -p Windows --cpu-priority 5
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4360

Network

  • flag-us
    DNS
    github.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-us
    DNS
    objects.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    objects.githubusercontent.com
    IN A
    Response
    objects.githubusercontent.com
    IN A
    185.199.111.133
    objects.githubusercontent.com
    IN A
    185.199.109.133
    objects.githubusercontent.com
    IN A
    185.199.108.133
    objects.githubusercontent.com
    IN A
    185.199.110.133
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    login.live.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    login.live.com
    IN A
    Response
    login.live.com
    IN CNAME
    login.msa.msidentity.com
    login.msa.msidentity.com
    IN CNAME
    www.tm.lg.prod.aadmsa.trafficmanager.net
    www.tm.lg.prod.aadmsa.trafficmanager.net
    IN CNAME
    prdv4a.aadg.msidentity.com
    prdv4a.aadg.msidentity.com
    IN CNAME
    www.tm.v4.a.prd.aadg.akadns.net
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    20.190.159.64
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    40.126.31.67
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    20.190.159.23
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    20.190.159.2
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    40.126.31.69
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    20.190.159.73
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    20.190.159.0
    www.tm.v4.a.prd.aadg.akadns.net
    IN A
    40.126.31.73
  • flag-us
    DNS
    ocsp.digicert.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    DNS
    133.111.199.185.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    133.111.199.185.in-addr.arpa
    IN PTR
    Response
    133.111.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-111-133githubcom
  • flag-us
    DNS
    tse1.mm.bing.net
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    DNS
    ctldl.windowsupdate.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.23.210.83
    a767.dspw65.akamai.net
    IN A
    2.23.210.88
  • flag-us
    DNS
    self.events.data.microsoft.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdeus13.eastus.cloudapp.azure.com
    onedscolprdeus13.eastus.cloudapp.azure.com
    IN A
    52.168.117.170
  • flag-us
    DNS
    215.156.26.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.156.26.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    bg.microsoft.map.fastly.net
    bg.microsoft.map.fastly.net
    IN A
    199.232.214.172
    bg.microsoft.map.fastly.net
    IN A
    199.232.210.172
  • flag-us
    DNS
    arc.msn.com
    Remote address:
    8.8.8.8:53
    Request
    arc.msn.com
    IN A
    Response
    arc.msn.com
    IN CNAME
    arc.trafficmanager.net
    arc.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    IN A
    20.223.36.55
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    170.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    170.117.168.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gulf.moneroocean.stream
    Remote address:
    8.8.8.8:53
    Request
    gulf.moneroocean.stream
    IN A
    Response
    gulf.moneroocean.stream
    IN CNAME
    monerooceans.stream
    monerooceans.stream
    IN A
    149.102.143.109
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.11
  • flag-us
    DNS
    ocsp.digicert.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    109.143.102.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.143.102.149.in-addr.arpa
    IN PTR
    Response
    109.143.102.149.in-addr.arpa
    IN PTR
    vmi1690904 contaboservernet
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 20.26.156.215:443
    github.com
    tls
    powershell.exe
    1.0kB
     8.2kB
     10
    12
  • 185.199.111.133:443
    objects.githubusercontent.com
    tls
    powershell.exe
    52.4kB
     2.7MB
     1084
    1980
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls
    1.6kB
     7.2kB
     17
    15
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls
    1.6kB
     7.2kB
     17
    15
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls
    1.6kB
     7.2kB
     17
    15
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls
    147.9kB
     4.2MB
     3058
    3053
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls
    1.6kB
     7.2kB
     17
    15
  • 149.102.143.109:10001
    gulf.moneroocean.stream
    xmrig.exe
    26.3kB
     42.4kB
     239
    215
  • 8.8.8.8:53
    github.com
    dns
    powershell.exe
    601 B
     1.6kB
     9
    9

    DNS Request

    github.com

    DNS Response

    20.26.156.215

    DNS Request

    objects.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.109.133
    185.199.108.133
    185.199.110.133

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    login.live.com

    DNS Response

    20.190.159.64
    40.126.31.67
    20.190.159.23
    20.190.159.2
    40.126.31.69
    20.190.159.73
    20.190.159.0
    40.126.31.73

    DNS Request

    ocsp.digicert.com

    DNS Response

    192.229.221.95

    DNS Request

    133.111.199.185.in-addr.arpa

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.23.210.83
    2.23.210.88

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    52.168.117.170

  • 8.8.8.8:53
    215.156.26.20.in-addr.arpa
    dns
    485 B
     1.2kB
     7
    7

    DNS Request

    215.156.26.20.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    199.232.214.172
    199.232.210.172

    DNS Request

    arc.msn.com

    DNS Response

    20.223.36.55

    DNS Request

    64.159.190.20.in-addr.arpa

    DNS Request

    10.27.171.150.in-addr.arpa

    DNS Request

    83.210.23.2.in-addr.arpa

    DNS Request

    170.117.168.52.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    279 B
     578 B
     4
    4

    DNS Request

    55.36.223.20.in-addr.arpa

    DNS Request

    gulf.moneroocean.stream

    DNS Response

    149.102.143.109

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.11

    DNS Request

    ocsp.digicert.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    220 B
     402 B
     3
    3

    DNS Request

    172.214.232.199.in-addr.arpa

    DNS Request

    109.143.102.149.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbdfgvf4.wb2.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
    Filesize

    6.1MB

    MD5

    c0f8959614ae06561216158d78a787e5

    SHA1

    73167d1fd0cee1c96a6505606d21cbfe4369eb00

    SHA256

    e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0

    SHA512

    a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746

    Download Submit

  • memory/4040-11-0x00007FFBD09F0000-0x00007FFBD14B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4040-46-0x00007FFBD09F0000-0x00007FFBD14B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4040-0-0x00007FFBD09F3000-0x00007FFBD09F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4040-12-0x00007FFBD09F0000-0x00007FFBD14B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4040-14-0x0000018D2CAE0000-0x0000018D2CAF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4040-15-0x0000018D2C660000-0x0000018D2C66A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4040-9-0x0000018D2C5D0000-0x0000018D2C5F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4040-10-0x00007FFBD09F0000-0x00007FFBD14B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4040-48-0x00007FFBD09F0000-0x00007FFBD14B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4040-47-0x00007FFBD09F3000-0x00007FFBD09F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4360-42-0x000002B67ED20000-0x000002B67ED40000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4360-45-0x000002B67EDC0000-0x000002B67EDE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4360-44-0x000002B67ED90000-0x000002B67EDB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4360-43-0x000002B67ED70000-0x000002B67ED90000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4360-49-0x000002B67ED90000-0x000002B67EDB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4360-50-0x000002B67EDC0000-0x000002B67EDE0000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.