Analysis Overview
SHA256
5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Threat Level: Known bad
The file PUB.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 01:45
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
99s
Max time network
303s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 1120 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2600 wrote to memory of 1120 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1120-0-0x000001BE8E0A0000-0x000001BE8E0C0000-memory.dmp
memory/1120-1-0x000001BE8E1F0000-0x000001BE8E210000-memory.dmp
memory/1120-3-0x000001BF208A0000-0x000001BF208C0000-memory.dmp
memory/1120-2-0x000001BE8E210000-0x000001BE8E230000-memory.dmp
memory/1120-4-0x000001BE8E210000-0x000001BE8E230000-memory.dmp
memory/1120-5-0x000001BF208A0000-0x000001BF208C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
212s
Max time network
285s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/1952-0-0x0000023BB1A60000-0x0000023BB1A80000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
301s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 4900 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1092 wrote to memory of 4900 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.31.169.57:443 | tcp |
Files
memory/4900-0-0x000001DE29380000-0x000001DE293A0000-memory.dmp
memory/4900-1-0x000001DE2AD80000-0x000001DE2ADA0000-memory.dmp
memory/4900-3-0x000001DE2ADA0000-0x000001DE2ADC0000-memory.dmp
memory/4900-2-0x000001DE2ADC0000-0x000001DE2ADE0000-memory.dmp
memory/4900-5-0x000001DE2ADA0000-0x000001DE2ADC0000-memory.dmp
memory/4900-4-0x000001DE2ADC0000-0x000001DE2ADE0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
214s
Max time network
291s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 5808 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1412 wrote to memory of 5808 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/5808-0-0x0000023396820000-0x0000023396840000-memory.dmp
memory/5808-1-0x0000023396990000-0x00000233969B0000-memory.dmp
memory/5808-2-0x00000233969B0000-0x00000233969D0000-memory.dmp
memory/5808-3-0x00000233969D0000-0x00000233969F0000-memory.dmp
memory/5808-4-0x00000233969B0000-0x00000233969D0000-memory.dmp
memory/5808-5-0x00000233969D0000-0x00000233969F0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
90s
Max time network
299s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1916 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2880-0-0x00000220FFBD0000-0x00000220FFBF0000-memory.dmp
memory/2880-1-0x00000220FFC30000-0x00000220FFC50000-memory.dmp
memory/2880-2-0x00000221921B0000-0x00000221921D0000-memory.dmp
memory/2880-3-0x00000221923E0000-0x0000022192400000-memory.dmp
memory/2880-5-0x00000221923E0000-0x0000022192400000-memory.dmp
memory/2880-4-0x00000221921B0000-0x00000221921D0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
91s
Max time network
304s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3948 wrote to memory of 4612 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3948 wrote to memory of 4612 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4612-0-0x0000020B451D0000-0x0000020B451F0000-memory.dmp
memory/4612-1-0x0000020B46C90000-0x0000020B46CB0000-memory.dmp
memory/4612-2-0x0000020B46CC0000-0x0000020B46CE0000-memory.dmp
memory/4612-3-0x0000020BD9350000-0x0000020BD9370000-memory.dmp
memory/4612-5-0x0000020BD9350000-0x0000020BD9370000-memory.dmp
memory/4612-4-0x0000020B46CC0000-0x0000020B46CE0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
213s
Max time network
302s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5612 wrote to memory of 5700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 5612 wrote to memory of 5700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/5700-0-0x00000234B79A0000-0x00000234B79C0000-memory.dmp
memory/5700-1-0x00000234B79F0000-0x00000234B7A10000-memory.dmp
memory/5700-2-0x00000234B7A30000-0x00000234B7A50000-memory.dmp
memory/5700-3-0x00000234B7A10000-0x00000234B7A30000-memory.dmp
memory/5700-4-0x00000234B7A30000-0x00000234B7A50000-memory.dmp
memory/5700-5-0x00000234B7A10000-0x00000234B7A30000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
212s
Max time network
305s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5004 wrote to memory of 1192 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 5004 wrote to memory of 1192 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/1192-0-0x000001C2692C0000-0x000001C2692E0000-memory.dmp
memory/1192-1-0x000001C26ABB0000-0x000001C26ABD0000-memory.dmp
memory/1192-3-0x000001C26ABF0000-0x000001C26AC10000-memory.dmp
memory/1192-2-0x000001C26ABD0000-0x000001C26ABF0000-memory.dmp
memory/1192-5-0x000001C26ABF0000-0x000001C26AC10000-memory.dmp
memory/1192-4-0x000001C26ABD0000-0x000001C26ABF0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
99s
Max time network
211s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2268-0-0x000001AEA19A0000-0x000001AEA19C0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
279s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 4608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 636 wrote to memory of 4608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4608-0-0x000001C123820000-0x000001C123840000-memory.dmp
memory/4608-1-0x000001C123880000-0x000001C1238A0000-memory.dmp
memory/4608-3-0x000001C1238A0000-0x000001C1238C0000-memory.dmp
memory/4608-2-0x000001C1B6020000-0x000001C1B6040000-memory.dmp
memory/4608-4-0x000001C1B6020000-0x000001C1B6040000-memory.dmp
memory/4608-5-0x000001C1238A0000-0x000001C1238C0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
304s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 3352 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1084 wrote to memory of 3352 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.223.36.55:443 | tcp | |
| SE | 192.229.221.95:80 | tcp |
Files
memory/3352-0-0x0000013AAF100000-0x0000013AAF120000-memory.dmp
memory/3352-1-0x0000013AAF150000-0x0000013AAF170000-memory.dmp
memory/3352-2-0x0000013AAF170000-0x0000013AAF190000-memory.dmp
memory/3352-3-0x0000013AAF1B0000-0x0000013AAF1D0000-memory.dmp
memory/3352-4-0x0000013AAF170000-0x0000013AAF190000-memory.dmp
memory/3352-5-0x0000013AAF1B0000-0x0000013AAF1D0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
288s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4608 wrote to memory of 4632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4608 wrote to memory of 4632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4632-0-0x000001B20CC00000-0x000001B20CC20000-memory.dmp
memory/4632-1-0x000001B20E620000-0x000001B20E640000-memory.dmp
memory/4632-2-0x000001B20E640000-0x000001B20E660000-memory.dmp
memory/4632-3-0x000001B20E660000-0x000001B20E680000-memory.dmp
memory/4632-5-0x000001B20E660000-0x000001B20E680000-memory.dmp
memory/4632-4-0x000001B20E640000-0x000001B20E660000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
154s
Max time network
276s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 4884 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2108 wrote to memory of 4884 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/4884-0-0x000002445DC40000-0x000002445DC60000-memory.dmp
memory/4884-1-0x000002445DDA0000-0x000002445DDC0000-memory.dmp
memory/4884-3-0x00000244F0440000-0x00000244F0460000-memory.dmp
memory/4884-2-0x000002445DDC0000-0x000002445DDE0000-memory.dmp
memory/4884-4-0x000002445DDC0000-0x000002445DDE0000-memory.dmp
memory/4884-5-0x00000244F0440000-0x00000244F0460000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
306s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3536 wrote to memory of 3152 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3536 wrote to memory of 3152 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3152-0-0x000001A9204B0000-0x000001A9204D0000-memory.dmp
memory/3152-1-0x000001A921DA0000-0x000001A921DC0000-memory.dmp
memory/3152-3-0x000001A921DE0000-0x000001A921E00000-memory.dmp
memory/3152-2-0x000001A921DC0000-0x000001A921DE0000-memory.dmp
memory/3152-4-0x000001A921DC0000-0x000001A921DE0000-memory.dmp
memory/3152-5-0x000001A921DE0000-0x000001A921E00000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
268s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 3576 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 392 wrote to memory of 3576 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3576-0-0x00000198C7830000-0x00000198C7850000-memory.dmp
memory/3576-1-0x00000198C9340000-0x00000198C9360000-memory.dmp
memory/3576-2-0x000001995B9C0000-0x000001995B9E0000-memory.dmp
memory/3576-3-0x000001995B9E0000-0x000001995BA00000-memory.dmp
memory/3576-5-0x000001995B9E0000-0x000001995BA00000-memory.dmp
memory/3576-4-0x000001995B9C0000-0x000001995B9E0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
92s
Max time network
299s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1812 wrote to memory of 256 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1812 wrote to memory of 256 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/256-0-0x000002CFD41E0000-0x000002CFD4200000-memory.dmp
memory/256-1-0x000002CFD4220000-0x000002CFD4240000-memory.dmp
memory/256-3-0x000002CFD4240000-0x000002CFD4260000-memory.dmp
memory/256-2-0x000002CFD4260000-0x000002CFD4280000-memory.dmp
memory/256-4-0x000002CFD4260000-0x000002CFD4280000-memory.dmp
memory/256-5-0x000002CFD4240000-0x000002CFD4260000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
138s
Max time network
302s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4220 wrote to memory of 2932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4220 wrote to memory of 2932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2932-0-0x000001DB4DCF0000-0x000001DB4DD10000-memory.dmp
memory/2932-1-0x000001DB4DE50000-0x000001DB4DE70000-memory.dmp
memory/2932-2-0x000001DBE0500000-0x000001DBE0520000-memory.dmp
memory/2932-3-0x000001DB4DE70000-0x000001DB4DE90000-memory.dmp
memory/2932-5-0x000001DB4DE70000-0x000001DB4DE90000-memory.dmp
memory/2932-4-0x000001DBE0500000-0x000001DBE0520000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
215s
Max time network
296s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 4056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1284 wrote to memory of 4056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4056-0-0x0000022D7D5C0000-0x0000022D7D5E0000-memory.dmp
memory/4056-1-0x0000022D7D610000-0x0000022D7D630000-memory.dmp
memory/4056-3-0x0000022D7D650000-0x0000022D7D670000-memory.dmp
memory/4056-2-0x0000022D7D630000-0x0000022D7D650000-memory.dmp
memory/4056-5-0x0000022D7D650000-0x0000022D7D670000-memory.dmp
memory/4056-4-0x0000022D7D630000-0x0000022D7D650000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
300s
Max time network
305s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 2520 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4908 wrote to memory of 2520 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/2520-0-0x00000186388B0000-0x00000186388D0000-memory.dmp
memory/2520-1-0x0000018638A10000-0x0000018638A30000-memory.dmp
memory/2520-2-0x00000186CB0A0000-0x00000186CB0C0000-memory.dmp
memory/2520-3-0x00000186CB0C0000-0x00000186CB0E0000-memory.dmp
memory/2520-4-0x00000186CB0A0000-0x00000186CB0C0000-memory.dmp
memory/2520-5-0x00000186CB0C0000-0x00000186CB0E0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
268s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 1428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4500 wrote to memory of 1428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1428-0-0x00000268E3390000-0x00000268E33B0000-memory.dmp
memory/1428-1-0x00000268E34F0000-0x00000268E3510000-memory.dmp
memory/1428-2-0x00000268E3510000-0x00000268E3530000-memory.dmp
memory/1428-3-0x00000268E3530000-0x00000268E3550000-memory.dmp
memory/1428-4-0x00000268E3510000-0x00000268E3530000-memory.dmp
memory/1428-5-0x00000268E3530000-0x00000268E3550000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win11-20241007-en
Max time kernel
90s
Max time network
279s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3600 wrote to memory of 4220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3600 wrote to memory of 4220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/4220-0-0x000001ADBB4B0000-0x000001ADBB4D0000-memory.dmp
memory/4220-1-0x000001ADBB500000-0x000001ADBB520000-memory.dmp
memory/4220-3-0x000001ADBB550000-0x000001ADBB570000-memory.dmp
memory/4220-2-0x000001ADBB520000-0x000001ADBB540000-memory.dmp
memory/4220-5-0x000001ADBB550000-0x000001ADBB570000-memory.dmp
memory/4220-4-0x000001ADBB520000-0x000001ADBB540000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-26 01:45
Reported
2024-10-26 01:51
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
286s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 1640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3044 wrote to memory of 1640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.223.35.26:443 | tcp |
Files
memory/1640-0-0x0000017B0B8D0000-0x0000017B0B8F0000-memory.dmp
memory/1640-1-0x0000017B0B940000-0x0000017B0B960000-memory.dmp
memory/1640-3-0x0000017B0B980000-0x0000017B0B9A0000-memory.dmp
memory/1640-2-0x0000017B0B960000-0x0000017B0B980000-memory.dmp
memory/1640-4-0x0000017B0B960000-0x0000017B0B980000-memory.dmp
memory/1640-5-0x0000017B0B980000-0x0000017B0B9A0000-memory.dmp