Analysis
-
max time kernel
1631s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/07/2024, 17:48 UTC
Static task
static1
Behavioral task
behavioral1
Sample
windows.ps1
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
windows.ps1
Resource
win10v2004-20240709-en
General
-
Target
windows.ps1
-
Size
421B
-
MD5
d5684c541008779669644c15a23adaca
-
SHA1
9250b10b96a788dcc595b998915fa4dd1de25332
-
SHA256
e92cb9de85087f31c7d038e0c2b59c80e05f8c53d5bcc2a5ebf38f9da13b4f5e
-
SHA512
2f7f6f89418cf93335154b3961362071dfa77b41858e09ce0745c8813c21748880a24a2388b771e8e7909e76902cd83cacdf89279617b335a068c8bbc40a4ef3
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral3/files/0x000200000002aaa9-40.dat family_xmrig behavioral3/files/0x000200000002aaa9-40.dat xmrig -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 4040 powershell.exe 3 4040 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4360 xmrig.exe -
pid Process 4040 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4040 powershell.exe 4040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4040 powershell.exe Token: SeLockMemoryPrivilege 4360 xmrig.exe Token: SeLockMemoryPrivilege 4360 xmrig.exe Token: SeIncBasePriorityPrivilege 4360 xmrig.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4360 xmrig.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4040 wrote to memory of 4360 4040 powershell.exe 89 PID 4040 wrote to memory of 4360 4040 powershell.exe 89
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe"C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 47T6dQJWm8NARismX3UU1XNkUmi83FFdW7EWfszvkxk1WANdBBJpFHh4jK58MjyLd1UsLRRGsWDCBfVtkrEukhbM6gN9LPY -p Windows --cpu-priority 52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4360
-
Network
-
Remote address:8.8.8.8:53Requestgithub.comIN AResponsegithub.comIN A20.26.156.215
-
Remote address:8.8.8.8:53Requestobjects.githubusercontent.comIN AResponseobjects.githubusercontent.comIN A185.199.111.133objects.githubusercontent.comIN A185.199.109.133objects.githubusercontent.comIN A185.199.108.133objects.githubusercontent.comIN A185.199.110.133
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestlogin.live.comIN AResponselogin.live.comIN CNAMElogin.msa.msidentity.comlogin.msa.msidentity.comIN CNAMEwww.tm.lg.prod.aadmsa.trafficmanager.netwww.tm.lg.prod.aadmsa.trafficmanager.netIN CNAMEprdv4a.aadg.msidentity.comprdv4a.aadg.msidentity.comIN CNAMEwww.tm.v4.a.prd.aadg.akadns.netwww.tm.v4.a.prd.aadg.akadns.netIN A20.190.159.64www.tm.v4.a.prd.aadg.akadns.netIN A40.126.31.67www.tm.v4.a.prd.aadg.akadns.netIN A20.190.159.23www.tm.v4.a.prd.aadg.akadns.netIN A20.190.159.2www.tm.v4.a.prd.aadg.akadns.netIN A40.126.31.69www.tm.v4.a.prd.aadg.akadns.netIN A20.190.159.73www.tm.v4.a.prd.aadg.akadns.netIN A20.190.159.0www.tm.v4.a.prd.aadg.akadns.netIN A40.126.31.73
-
Remote address:8.8.8.8:53Requestocsp.digicert.comIN AResponseocsp.digicert.comIN CNAMEocsp.edge.digicert.comocsp.edge.digicert.comIN CNAMEfp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.2be4.phicdn.netIN CNAMEfp2e7a.wpc.phicdn.netfp2e7a.wpc.phicdn.netIN A192.229.221.95
-
Remote address:8.8.8.8:53Request133.111.199.185.in-addr.arpaIN PTRResponse133.111.199.185.in-addr.arpaIN PTRcdn-185-199-111-133githubcom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.23.210.83a767.dspw65.akamai.netIN A2.23.210.88
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdeus13.eastus.cloudapp.azure.comonedscolprdeus13.eastus.cloudapp.azure.comIN A52.168.117.170
-
Remote address:8.8.8.8:53Request215.156.26.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEbg.microsoft.map.fastly.netbg.microsoft.map.fastly.netIN A199.232.214.172bg.microsoft.map.fastly.netIN A199.232.210.172
-
Remote address:8.8.8.8:53Requestarc.msn.comIN AResponsearc.msn.comIN CNAMEarc.trafficmanager.netarc.trafficmanager.netIN CNAMEiris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.comiris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.comIN A20.223.36.55
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request170.117.168.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgulf.moneroocean.streamIN AResponsegulf.moneroocean.streamIN CNAMEmonerooceans.streammonerooceans.streamIN A149.102.143.109
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.11
-
Remote address:8.8.8.8:53Requestocsp.digicert.comIN AResponseocsp.digicert.comIN CNAMEocsp.edge.digicert.comocsp.edge.digicert.comIN CNAMEfp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.2be4.phicdn.netIN CNAMEfp2e7a.wpc.phicdn.netfp2e7a.wpc.phicdn.netIN A192.229.221.95
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request109.143.102.149.in-addr.arpaIN PTRResponse109.143.102.149.in-addr.arpaIN PTRvmi1690904 contaboservernet
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
1.0kB 8.2kB 10 12
-
52.4kB 2.7MB 1084 1980
-
1.6kB 7.2kB 17 15
-
1.6kB 7.2kB 17 15
-
1.6kB 7.2kB 17 15
-
147.9kB 4.2MB 3058 3053
-
1.6kB 7.2kB 17 15
-
26.3kB 42.4kB 239 215
-
601 B 1.6kB 9 9
DNS Request
github.com
DNS Response
20.26.156.215
DNS Request
objects.githubusercontent.com
DNS Response
185.199.111.133185.199.109.133185.199.108.133185.199.110.133
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
login.live.com
DNS Response
20.190.159.6440.126.31.6720.190.159.2320.190.159.240.126.31.6920.190.159.7320.190.159.040.126.31.73
DNS Request
ocsp.digicert.com
DNS Response
192.229.221.95
DNS Request
133.111.199.185.in-addr.arpa
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
DNS Request
ctldl.windowsupdate.com
DNS Response
2.23.210.832.23.210.88
DNS Request
self.events.data.microsoft.com
DNS Response
52.168.117.170
-
485 B 1.2kB 7 7
DNS Request
215.156.26.20.in-addr.arpa
DNS Request
ctldl.windowsupdate.com
DNS Response
199.232.214.172199.232.210.172
DNS Request
arc.msn.com
DNS Response
20.223.36.55
DNS Request
64.159.190.20.in-addr.arpa
DNS Request
10.27.171.150.in-addr.arpa
DNS Request
83.210.23.2.in-addr.arpa
DNS Request
170.117.168.52.in-addr.arpa
-
279 B 578 B 4 4
DNS Request
55.36.223.20.in-addr.arpa
DNS Request
gulf.moneroocean.stream
DNS Response
149.102.143.109
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.11
DNS Request
ocsp.digicert.com
DNS Response
192.229.221.95
-
220 B 402 B 3 3
DNS Request
172.214.232.199.in-addr.arpa
DNS Request
109.143.102.149.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.1MB
MD5c0f8959614ae06561216158d78a787e5
SHA173167d1fd0cee1c96a6505606d21cbfe4369eb00
SHA256e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0
SHA512a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746