Analysis Overview
SHA256
5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Threat Level: Known bad
The file PUB.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 17:14
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
91s
Max time network
259s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 2032 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3436 wrote to memory of 2032 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2032-0-0x00000252A1620000-0x00000252A1640000-memory.dmp
memory/2032-1-0x00000252A3010000-0x00000252A3030000-memory.dmp
memory/2032-2-0x00000252A3030000-0x00000252A3050000-memory.dmp
memory/2032-3-0x00000252A3050000-0x00000252A3070000-memory.dmp
memory/2032-5-0x00000252A3050000-0x00000252A3070000-memory.dmp
memory/2032-4-0x00000252A3030000-0x00000252A3050000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
216s
Max time network
300s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 4852 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2392 wrote to memory of 4852 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4852-0-0x00000192B5540000-0x00000192B5560000-memory.dmp
memory/4852-1-0x00000192B5590000-0x00000192B55B0000-memory.dmp
memory/4852-3-0x00000192B55B0000-0x00000192B55D0000-memory.dmp
memory/4852-2-0x00000192B55D0000-0x00000192B55F0000-memory.dmp
memory/4852-5-0x00000192B55B0000-0x00000192B55D0000-memory.dmp
memory/4852-4-0x00000192B55D0000-0x00000192B55F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
300s
Max time network
259s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 4524 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4200 wrote to memory of 4524 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| N/A | 20.189.173.17:443 | tcp |
Files
memory/4524-0-0x00000288F22B0000-0x00000288F22D0000-memory.dmp
memory/4524-1-0x00000288F2300000-0x00000288F2320000-memory.dmp
memory/4524-2-0x00000288F2340000-0x00000288F2360000-memory.dmp
memory/4524-3-0x00000288F2320000-0x00000288F2340000-memory.dmp
memory/4524-5-0x00000288F2320000-0x00000288F2340000-memory.dmp
memory/4524-4-0x00000288F2340000-0x00000288F2360000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
217s
Max time network
290s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1452 wrote to memory of 1864 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1452 wrote to memory of 1864 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/1864-0-0x0000025179A50000-0x0000025179A70000-memory.dmp
memory/1864-1-0x0000025179AB0000-0x0000025179AD0000-memory.dmp
memory/1864-3-0x0000025179AF0000-0x0000025179B10000-memory.dmp
memory/1864-2-0x0000025179AD0000-0x0000025179AF0000-memory.dmp
memory/1864-5-0x0000025179AF0000-0x0000025179B10000-memory.dmp
memory/1864-4-0x0000025179AD0000-0x0000025179AF0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
150s
Max time network
273s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3188 wrote to memory of 2892 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3188 wrote to memory of 2892 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/2892-0-0x0000017D94F40000-0x0000017D94F60000-memory.dmp
memory/2892-1-0x0000017D94FA0000-0x0000017D94FC0000-memory.dmp
memory/2892-2-0x0000017D94FC0000-0x0000017D94FE0000-memory.dmp
memory/2892-3-0x0000017D94FE0000-0x0000017D95000000-memory.dmp
memory/2892-5-0x0000017D94FE0000-0x0000017D95000000-memory.dmp
memory/2892-4-0x0000017D94FC0000-0x0000017D94FE0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
92s
Max time network
279s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3796 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/2324-0-0x000001FDBCF50000-0x000001FDBCF70000-memory.dmp
memory/2324-1-0x000001FDBCF90000-0x000001FDBCFB0000-memory.dmp
memory/2324-2-0x000001FDBCFF0000-0x000001FDBD010000-memory.dmp
memory/2324-3-0x000001FDBCFB0000-0x000001FDBCFD0000-memory.dmp
memory/2324-4-0x000001FDBCFF0000-0x000001FDBD010000-memory.dmp
memory/2324-5-0x000001FDBCFB0000-0x000001FDBCFD0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241023-en
Max time kernel
91s
Max time network
205s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
Files
memory/2936-0-0x000001D82CDD0000-0x000001D82CDF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
220s
Max time network
286s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1616 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1616 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
Files
memory/2952-0-0x000002D50A850000-0x000002D50A870000-memory.dmp
memory/2952-1-0x000002D50A8A0000-0x000002D50A8C0000-memory.dmp
memory/2952-3-0x000002D50A8E0000-0x000002D50A900000-memory.dmp
memory/2952-2-0x000002D50A8C0000-0x000002D50A8E0000-memory.dmp
memory/2952-5-0x000002D50A8E0000-0x000002D50A900000-memory.dmp
memory/2952-4-0x000002D50A8C0000-0x000002D50A8E0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
300s
Max time network
259s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2648 wrote to memory of 4812 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2648 wrote to memory of 4812 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| N/A | 52.168.117.169:443 | tcp |
Files
memory/4812-0-0x000001FFB0220000-0x000001FFB0240000-memory.dmp
memory/4812-1-0x000001FFB0260000-0x000001FFB0280000-memory.dmp
memory/4812-2-0x000001FFB0280000-0x000001FFB02A0000-memory.dmp
memory/4812-3-0x000001FFB02A0000-0x000001FFB02C0000-memory.dmp
memory/4812-5-0x000001FFB02A0000-0x000001FFB02C0000-memory.dmp
memory/4812-4-0x000001FFB0280000-0x000001FFB02A0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
91s
Max time network
259s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 4912 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4496 wrote to memory of 4912 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4912-0-0x0000028F693C0000-0x0000028F693E0000-memory.dmp
memory/4912-1-0x0000028F6AEC0000-0x0000028F6AEE0000-memory.dmp
memory/4912-2-0x0000028FFD580000-0x0000028FFD5A0000-memory.dmp
memory/4912-3-0x0000028F6AEE0000-0x0000028F6AF00000-memory.dmp
memory/4912-4-0x0000028FFD580000-0x0000028FFD5A0000-memory.dmp
memory/4912-5-0x0000028F6AEE0000-0x0000028F6AF00000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-25 17:14
Reported
2024-10-25 17:28
Platform
win11-20241007-en
Max time kernel
213s
Max time network
288s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3576 wrote to memory of 1372 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3576 wrote to memory of 1372 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/1372-0-0x000001BB33C90000-0x000001BB33CB0000-memory.dmp
memory/1372-1-0x000001BB33DF0000-0x000001BB33E10000-memory.dmp
memory/1372-2-0x000001BB33E10000-0x000001BB33E30000-memory.dmp
memory/1372-3-0x000001BB33E30000-0x000001BB33E50000-memory.dmp
memory/1372-4-0x000001BB33E10000-0x000001BB33E30000-memory.dmp
memory/1372-5-0x000001BB33E30000-0x000001BB33E50000-memory.dmp