Analysis Overview
SHA256
5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Threat Level: Known bad
The file PUB.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 01:45
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
304s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 220 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.74.47.205:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/2700-0-0x0000020D0C470000-0x0000020D0C490000-memory.dmp
memory/2700-1-0x0000020D9E610000-0x0000020D9E630000-memory.dmp
memory/2700-2-0x0000020D9EA50000-0x0000020D9EA70000-memory.dmp
memory/2700-3-0x0000020D9EC80000-0x0000020D9ECA0000-memory.dmp
memory/2700-5-0x0000020D9EC80000-0x0000020D9ECA0000-memory.dmp
memory/2700-4-0x0000020D9EA50000-0x0000020D9EA70000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
284s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 3592 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1028 wrote to memory of 3592 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3592-0-0x000002075F3D0000-0x000002075F3F0000-memory.dmp
memory/3592-1-0x000002075F420000-0x000002075F440000-memory.dmp
memory/3592-3-0x000002075F440000-0x000002075F460000-memory.dmp
memory/3592-2-0x000002075F460000-0x000002075F480000-memory.dmp
memory/3592-5-0x000002075F440000-0x000002075F460000-memory.dmp
memory/3592-4-0x000002075F460000-0x000002075F480000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
155s
Max time network
282s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3276 wrote to memory of 1344 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3276 wrote to memory of 1344 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/1344-0-0x00000168B3EB0000-0x00000168B3ED0000-memory.dmp
memory/1344-1-0x00000168B4010000-0x00000168B4030000-memory.dmp
memory/1344-3-0x00000168B4030000-0x00000168B4050000-memory.dmp
memory/1344-2-0x00000169466D0000-0x00000169466F0000-memory.dmp
memory/1344-5-0x00000168B4030000-0x00000168B4050000-memory.dmp
memory/1344-4-0x00000169466D0000-0x00000169466F0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241023-en
Max time kernel
91s
Max time network
311s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2232 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1520-0-0x000001C52AD20000-0x000001C52AD40000-memory.dmp
memory/1520-1-0x000001C52AD70000-0x000001C52AD90000-memory.dmp
memory/1520-2-0x000001C52AD90000-0x000001C52ADB0000-memory.dmp
memory/1520-3-0x000001C52ADB0000-0x000001C52ADD0000-memory.dmp
memory/1520-4-0x000001C52AD90000-0x000001C52ADB0000-memory.dmp
memory/1520-5-0x000001C52ADB0000-0x000001C52ADD0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
147s
Max time network
280s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1280 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2912-0-0x00000280DEB50000-0x00000280DEB70000-memory.dmp
memory/2912-1-0x00000280DEBB0000-0x00000280DEBD0000-memory.dmp
memory/2912-3-0x00000280DEBF0000-0x00000280DEC10000-memory.dmp
memory/2912-2-0x00000280DEBD0000-0x00000280DEBF0000-memory.dmp
memory/2912-4-0x00000280DEBD0000-0x00000280DEBF0000-memory.dmp
memory/2912-5-0x00000280DEBF0000-0x00000280DEC10000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
280s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 668 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2296 wrote to memory of 668 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/668-0-0x000001F5473F0000-0x000001F547410000-memory.dmp
memory/668-1-0x000001F548D60000-0x000001F548D80000-memory.dmp
memory/668-2-0x000001F548DA0000-0x000001F548DC0000-memory.dmp
memory/668-3-0x000001F548D80000-0x000001F548DA0000-memory.dmp
memory/668-5-0x000001F548D80000-0x000001F548DA0000-memory.dmp
memory/668-4-0x000001F548DA0000-0x000001F548DC0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
147s
Max time network
282s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 388 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3552 wrote to memory of 388 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/388-0-0x000001EF1EE90000-0x000001EF1EEB0000-memory.dmp
memory/388-1-0x000001EF1EEE0000-0x000001EF1EF00000-memory.dmp
memory/388-3-0x000001EF1EF20000-0x000001EF1EF40000-memory.dmp
memory/388-2-0x000001EF1EF00000-0x000001EF1EF20000-memory.dmp
memory/388-4-0x000001EF1EF00000-0x000001EF1EF20000-memory.dmp
memory/388-5-0x000001EF1EF20000-0x000001EF1EF40000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
91s
Max time network
269s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2516 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4116-0-0x000002099DF30000-0x000002099DF50000-memory.dmp
memory/4116-1-0x000002099DF80000-0x000002099DFA0000-memory.dmp
memory/4116-3-0x000002099DFA0000-0x000002099DFC0000-memory.dmp
memory/4116-2-0x000002099DFC0000-0x000002099DFE0000-memory.dmp
memory/4116-5-0x000002099DFA0000-0x000002099DFC0000-memory.dmp
memory/4116-4-0x000002099DFC0000-0x000002099DFE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
154s
Max time network
280s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/1144-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
300s
Max time network
203s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 13.89.179.10:443 | tcp |
Files
memory/1056-0-0x0000026771D80000-0x0000026771DA0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
212s
Max time network
283s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4100 wrote to memory of 3168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4100 wrote to memory of 3168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3168-0-0x00000209C94F0000-0x00000209C9510000-memory.dmp
memory/3168-1-0x00000209CAFB0000-0x00000209CAFD0000-memory.dmp
memory/3168-3-0x00000209CB010000-0x00000209CB030000-memory.dmp
memory/3168-2-0x00000209CAFF0000-0x00000209CB010000-memory.dmp
memory/3168-5-0x00000209CB010000-0x00000209CB030000-memory.dmp
memory/3168-4-0x00000209CAFF0000-0x00000209CB010000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 3684 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3548 wrote to memory of 3684 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3684-0-0x00000234ADC50000-0x00000234ADC70000-memory.dmp
memory/3684-1-0x00000234AF540000-0x00000234AF560000-memory.dmp
memory/3684-2-0x00000234AF560000-0x00000234AF580000-memory.dmp
memory/3684-3-0x00000234AF580000-0x00000234AF5A0000-memory.dmp
memory/3684-4-0x00000234AF560000-0x00000234AF580000-memory.dmp
memory/3684-5-0x00000234AF580000-0x00000234AF5A0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
299s
Max time network
302s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 240 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3068 wrote to memory of 240 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/240-0-0x0000026904CC0000-0x0000026904CE0000-memory.dmp
memory/240-1-0x0000026904D10000-0x0000026904D30000-memory.dmp
memory/240-2-0x0000026904D30000-0x0000026904D50000-memory.dmp
memory/240-3-0x0000026904D50000-0x0000026904D70000-memory.dmp
memory/240-4-0x0000026904D30000-0x0000026904D50000-memory.dmp
memory/240-5-0x0000026904D50000-0x0000026904D70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
90s
Max time network
204s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys
Network
Files
memory/1572-0-0x0000000000010000-0x0000000000017000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
304s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 3964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1196 wrote to memory of 3964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| N/A | 20.103.156.88:443 | tcp |
Files
memory/3964-0-0x0000021282700000-0x0000021282720000-memory.dmp
memory/3964-1-0x0000021282740000-0x0000021282760000-memory.dmp
memory/3964-3-0x0000021282780000-0x00000212827A0000-memory.dmp
memory/3964-2-0x0000021282760000-0x0000021282780000-memory.dmp
memory/3964-5-0x0000021282780000-0x00000212827A0000-memory.dmp
memory/3964-4-0x0000021282760000-0x0000021282780000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
214s
Max time network
282s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 4376 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3492 wrote to memory of 4376 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4376-0-0x0000021A81BF0000-0x0000021A81C10000-memory.dmp
memory/4376-1-0x0000021B15660000-0x0000021B15680000-memory.dmp
memory/4376-2-0x0000021B15AB0000-0x0000021B15AD0000-memory.dmp
memory/4376-3-0x0000021B15CE0000-0x0000021B15D00000-memory.dmp
memory/4376-4-0x0000021B15AB0000-0x0000021B15AD0000-memory.dmp
memory/4376-5-0x0000021B15CE0000-0x0000021B15D00000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
258s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 3048 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1752 wrote to memory of 3048 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.74.47.205:443 | tcp |
Files
memory/3048-0-0x000001AA4A220000-0x000001AA4A240000-memory.dmp
memory/3048-1-0x000001AA4A270000-0x000001AA4A290000-memory.dmp
memory/3048-2-0x000001AA4A290000-0x000001AA4A2B0000-memory.dmp
memory/3048-3-0x000001AA4A2B0000-0x000001AA4A2D0000-memory.dmp
memory/3048-5-0x000001AA4A2B0000-0x000001AA4A2D0000-memory.dmp
memory/3048-4-0x000001AA4A290000-0x000001AA4A2B0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
279s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 4348 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3488 wrote to memory of 4348 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/4348-0-0x0000020BAF2E0000-0x0000020BAF300000-memory.dmp
memory/4348-1-0x0000020BAF330000-0x0000020BAF350000-memory.dmp
memory/4348-3-0x0000020BAF350000-0x0000020BAF370000-memory.dmp
memory/4348-2-0x0000020BAF370000-0x0000020BAF390000-memory.dmp
memory/4348-5-0x0000020BAF350000-0x0000020BAF370000-memory.dmp
memory/4348-4-0x0000020BAF370000-0x0000020BAF390000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
308s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4724 wrote to memory of 3412 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4724 wrote to memory of 3412 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
Files
memory/3412-0-0x00000224908E0000-0x0000022490900000-memory.dmp
memory/3412-1-0x0000022490A40000-0x0000022490A60000-memory.dmp
memory/3412-2-0x0000022490A60000-0x0000022490A80000-memory.dmp
memory/3412-3-0x0000022490A80000-0x0000022490AA0000-memory.dmp
memory/3412-4-0x0000022490A60000-0x0000022490A80000-memory.dmp
memory/3412-5-0x0000022490A80000-0x0000022490AA0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
146s
Max time network
296s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4172 wrote to memory of 2628 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4172 wrote to memory of 2628 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/2628-0-0x0000028407840000-0x0000028407860000-memory.dmp
memory/2628-1-0x0000028407890000-0x00000284078B0000-memory.dmp
memory/2628-2-0x00000284078B0000-0x00000284078D0000-memory.dmp
memory/2628-3-0x00000284078D0000-0x00000284078F0000-memory.dmp
memory/2628-4-0x00000284078B0000-0x00000284078D0000-memory.dmp
memory/2628-5-0x00000284078D0000-0x00000284078F0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
250s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2384 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2332 wrote to memory of 2384 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2384-0-0x0000023655280000-0x00000236552A0000-memory.dmp
memory/2384-1-0x00000236552D0000-0x00000236552F0000-memory.dmp
memory/2384-2-0x00000236552F0000-0x0000023655310000-memory.dmp
memory/2384-3-0x0000023655310000-0x0000023655330000-memory.dmp
memory/2384-4-0x00000236552F0000-0x0000023655310000-memory.dmp
memory/2384-5-0x0000023655310000-0x0000023655330000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
153s
Max time network
286s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/1016-0-0x000001DB6B8F0000-0x000001DB6B910000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
284s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4588 wrote to memory of 4940 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4588 wrote to memory of 4940 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/4940-0-0x000001FD887B0000-0x000001FD887D0000-memory.dmp
memory/4940-1-0x000001FD887F0000-0x000001FD88810000-memory.dmp
memory/4940-3-0x000001FD88810000-0x000001FD88830000-memory.dmp
memory/4940-2-0x000001FD88830000-0x000001FD88850000-memory.dmp
memory/4940-4-0x000001FD88830000-0x000001FD88850000-memory.dmp
memory/4940-5-0x000001FD88810000-0x000001FD88830000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 02:32
Platform
win11-20241007-en
Max time kernel
91s
Max time network
278s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 4108 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2576 wrote to memory of 4108 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4108-0-0x0000020363320000-0x0000020363340000-memory.dmp
memory/4108-1-0x0000020364C10000-0x0000020364C30000-memory.dmp
memory/4108-2-0x0000020364D50000-0x0000020364D70000-memory.dmp
memory/4108-3-0x0000020364D70000-0x0000020364D90000-memory.dmp
memory/4108-4-0x0000020364D50000-0x0000020364D70000-memory.dmp
memory/4108-5-0x0000020364D70000-0x0000020364D90000-memory.dmp