ad54fdc3443ab066cd92b5b6b18483bb7b9c6188345b9d69830f96547374e157

Resubmissions

01/09/2024, 20:26

01/09/2024, 19:46

01/09/2024, 19:11

01/09/2024, 18:52

max time kernel
840s
max time network
1007s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 19:11

Target

ETC XMR4/start.bat
Size

110B
MD5

5b696af5c780a7699a22b945dc062927
SHA1

1f2a9887f83d7224ed710179da51080923fd1d7b
SHA256

316e23befc16b34bfbe4b4adcf8d319b1af134ad51577e09a2b5a09ded70a781
SHA512

c6f4b96c16b74dc93e4150d3bfb37d87fef49b49d1d1d3644528d399ba2ea9ae11ef309ae203fca3d6d19810bdbbf1ec6af36565e2f5fb17f1d24b06ae493685

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1524	xmrig.exe
Token: SeLockMemoryPrivilege	1524	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1524	xmrig.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1524	1380	cmd.exe	31
PID 1380 wrote to memory of 1524	1380	cmd.exe	31
PID 1380 wrote to memory of 1524	1380	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ETC XMR4\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\ETC XMR4\xmrig.exe
  xmrig.exe -o rx.unmineable.com:3333 -a rx -k -u BTC:bc1qvqn8wzhgdh8xfy2klz9f5r4q882fpl840e472e.cpu -p x
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1524

memory/1524-0-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1524-2-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/1524-1-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/1524-3-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/1524-4-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download