Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-vr3clszlas
Target PUB.rar
SHA256 5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017

Threat Level: Known bad

The file PUB.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 17:14

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

91s

Max time network

259s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3436 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/2032-0-0x00000252A1620000-0x00000252A1640000-memory.dmp

memory/2032-1-0x00000252A3010000-0x00000252A3030000-memory.dmp

memory/2032-2-0x00000252A3030000-0x00000252A3050000-memory.dmp

memory/2032-3-0x00000252A3050000-0x00000252A3070000-memory.dmp

memory/2032-5-0x00000252A3050000-0x00000252A3070000-memory.dmp

memory/2032-4-0x00000252A3030000-0x00000252A3050000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

216s

Max time network

300s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2392 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4852-0-0x00000192B5540000-0x00000192B5560000-memory.dmp

memory/4852-1-0x00000192B5590000-0x00000192B55B0000-memory.dmp

memory/4852-3-0x00000192B55B0000-0x00000192B55D0000-memory.dmp

memory/4852-2-0x00000192B55D0000-0x00000192B55F0000-memory.dmp

memory/4852-5-0x00000192B55B0000-0x00000192B55D0000-memory.dmp

memory/4852-4-0x00000192B55D0000-0x00000192B55F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

300s

Max time network

259s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4200 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
N/A 20.189.173.17:443 tcp

Files

memory/4524-0-0x00000288F22B0000-0x00000288F22D0000-memory.dmp

memory/4524-1-0x00000288F2300000-0x00000288F2320000-memory.dmp

memory/4524-2-0x00000288F2340000-0x00000288F2360000-memory.dmp

memory/4524-3-0x00000288F2320000-0x00000288F2340000-memory.dmp

memory/4524-5-0x00000288F2320000-0x00000288F2340000-memory.dmp

memory/4524-4-0x00000288F2340000-0x00000288F2360000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

217s

Max time network

290s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1452 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/1864-0-0x0000025179A50000-0x0000025179A70000-memory.dmp

memory/1864-1-0x0000025179AB0000-0x0000025179AD0000-memory.dmp

memory/1864-3-0x0000025179AF0000-0x0000025179B10000-memory.dmp

memory/1864-2-0x0000025179AD0000-0x0000025179AF0000-memory.dmp

memory/1864-5-0x0000025179AF0000-0x0000025179B10000-memory.dmp

memory/1864-4-0x0000025179AD0000-0x0000025179AF0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

150s

Max time network

273s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3188 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2892-0-0x0000017D94F40000-0x0000017D94F60000-memory.dmp

memory/2892-1-0x0000017D94FA0000-0x0000017D94FC0000-memory.dmp

memory/2892-2-0x0000017D94FC0000-0x0000017D94FE0000-memory.dmp

memory/2892-3-0x0000017D94FE0000-0x0000017D95000000-memory.dmp

memory/2892-5-0x0000017D94FE0000-0x0000017D95000000-memory.dmp

memory/2892-4-0x0000017D94FC0000-0x0000017D94FE0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

92s

Max time network

279s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3796 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/2324-0-0x000001FDBCF50000-0x000001FDBCF70000-memory.dmp

memory/2324-1-0x000001FDBCF90000-0x000001FDBCFB0000-memory.dmp

memory/2324-2-0x000001FDBCFF0000-0x000001FDBD010000-memory.dmp

memory/2324-3-0x000001FDBCFB0000-0x000001FDBCFD0000-memory.dmp

memory/2324-4-0x000001FDBCFF0000-0x000001FDBD010000-memory.dmp

memory/2324-5-0x000001FDBCFB0000-0x000001FDBCFD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241023-en

Max time kernel

91s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Files

memory/2936-0-0x000001D82CDD0000-0x000001D82CDF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

220s

Max time network

286s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1616 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp

Files

memory/2952-0-0x000002D50A850000-0x000002D50A870000-memory.dmp

memory/2952-1-0x000002D50A8A0000-0x000002D50A8C0000-memory.dmp

memory/2952-3-0x000002D50A8E0000-0x000002D50A900000-memory.dmp

memory/2952-2-0x000002D50A8C0000-0x000002D50A8E0000-memory.dmp

memory/2952-5-0x000002D50A8E0000-0x000002D50A900000-memory.dmp

memory/2952-4-0x000002D50A8C0000-0x000002D50A8E0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

300s

Max time network

259s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2648 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 52.168.117.169:443 tcp

Files

memory/4812-0-0x000001FFB0220000-0x000001FFB0240000-memory.dmp

memory/4812-1-0x000001FFB0260000-0x000001FFB0280000-memory.dmp

memory/4812-2-0x000001FFB0280000-0x000001FFB02A0000-memory.dmp

memory/4812-3-0x000001FFB02A0000-0x000001FFB02C0000-memory.dmp

memory/4812-5-0x000001FFB02A0000-0x000001FFB02C0000-memory.dmp

memory/4812-4-0x000001FFB0280000-0x000001FFB02A0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

91s

Max time network

259s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4496 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/4912-0-0x0000028F693C0000-0x0000028F693E0000-memory.dmp

memory/4912-1-0x0000028F6AEC0000-0x0000028F6AEE0000-memory.dmp

memory/4912-2-0x0000028FFD580000-0x0000028FFD5A0000-memory.dmp

memory/4912-3-0x0000028F6AEE0000-0x0000028F6AF00000-memory.dmp

memory/4912-4-0x0000028FFD580000-0x0000028FFD5A0000-memory.dmp

memory/4912-5-0x0000028F6AEE0000-0x0000028F6AF00000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-25 17:14

Reported

2024-10-25 17:28

Platform

win11-20241007-en

Max time kernel

213s

Max time network

288s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3576 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/1372-0-0x000001BB33C90000-0x000001BB33CB0000-memory.dmp

memory/1372-1-0x000001BB33DF0000-0x000001BB33E10000-memory.dmp

memory/1372-2-0x000001BB33E10000-0x000001BB33E30000-memory.dmp

memory/1372-3-0x000001BB33E30000-0x000001BB33E50000-memory.dmp

memory/1372-4-0x000001BB33E10000-0x000001BB33E30000-memory.dmp

memory/1372-5-0x000001BB33E30000-0x000001BB33E50000-memory.dmp