Analysis Overview
SHA256
5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Threat Level: Known bad
The file PUB.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 02:27
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
294s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1484 wrote to memory of 3092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1484 wrote to memory of 3092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/3092-0-0x000001F6894B0000-0x000001F6894D0000-memory.dmp
memory/3092-1-0x00007FF9292C0000-0x00007FF929369000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
298s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 4524 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2176 wrote to memory of 4524 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/4524-0-0x0000017FD87E0000-0x0000017FD8800000-memory.dmp
memory/4524-1-0x000001806A970000-0x000001806A990000-memory.dmp
memory/4524-2-0x000001806ADB0000-0x000001806ADD0000-memory.dmp
memory/4524-3-0x000001806AFE0000-0x000001806B000000-memory.dmp
memory/4524-4-0x000001806ADB0000-0x000001806ADD0000-memory.dmp
memory/4524-5-0x000001806AFE0000-0x000001806B000000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
281s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 444 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2716 wrote to memory of 444 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/444-0-0x000001BD570A0000-0x000001BD570C0000-memory.dmp
memory/444-1-0x000001BD57100000-0x000001BD57120000-memory.dmp
memory/444-2-0x000001BD57120000-0x000001BD57140000-memory.dmp
memory/444-3-0x000001BD57140000-0x000001BD57160000-memory.dmp
memory/444-5-0x000001BD57140000-0x000001BD57160000-memory.dmp
memory/444-4-0x000001BD57120000-0x000001BD57140000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
147s
Max time network
292s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1416 wrote to memory of 4568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1416 wrote to memory of 4568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4568-0-0x00000183FC310000-0x00000183FC330000-memory.dmp
memory/4568-1-0x00000183FC350000-0x00000183FC370000-memory.dmp
memory/4568-2-0x00000183FC370000-0x00000183FC390000-memory.dmp
memory/4568-3-0x00000183FC4A0000-0x00000183FC4C0000-memory.dmp
memory/4568-5-0x00000183FC4A0000-0x00000183FC4C0000-memory.dmp
memory/4568-4-0x00000183FC370000-0x00000183FC390000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
290s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 960 wrote to memory of 1768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 960 wrote to memory of 1768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/1768-0-0x000001794F2E0000-0x000001794F300000-memory.dmp
memory/1768-1-0x0000017950BE0000-0x0000017950C00000-memory.dmp
memory/1768-2-0x0000017950C00000-0x0000017950C20000-memory.dmp
memory/1768-3-0x0000017950C20000-0x0000017950C40000-memory.dmp
memory/1768-4-0x0000017950C00000-0x0000017950C20000-memory.dmp
memory/1768-5-0x0000017950C20000-0x0000017950C40000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
211s
Max time network
288s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 3428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1856 wrote to memory of 3428 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3428-0-0x000001F90B200000-0x000001F90B220000-memory.dmp
memory/3428-1-0x000001F90B350000-0x000001F90B370000-memory.dmp
memory/3428-2-0x000001F90B370000-0x000001F90B390000-memory.dmp
memory/3428-3-0x000001F99DA10000-0x000001F99DA30000-memory.dmp
memory/3428-5-0x000001F99DA10000-0x000001F99DA30000-memory.dmp
memory/3428-4-0x000001F90B370000-0x000001F90B390000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
92s
Max time network
255s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 816 wrote to memory of 1904 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 816 wrote to memory of 1904 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/1904-0-0x0000029FCFC40000-0x0000029FCFC60000-memory.dmp
memory/1904-1-0x0000029FCFDB0000-0x0000029FCFDD0000-memory.dmp
memory/1904-3-0x000002A062220000-0x000002A062240000-memory.dmp
memory/1904-2-0x000002A062450000-0x000002A062470000-memory.dmp
memory/1904-5-0x000002A062220000-0x000002A062240000-memory.dmp
memory/1904-4-0x000002A062450000-0x000002A062470000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
153s
Max time network
286s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2596 wrote to memory of 2608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2596 wrote to memory of 2608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
memory/2608-0-0x0000023AC4D70000-0x0000023AC4D90000-memory.dmp
memory/2608-1-0x0000023AC66B0000-0x0000023AC66D0000-memory.dmp
memory/2608-2-0x0000023AC66D0000-0x0000023AC66F0000-memory.dmp
memory/2608-3-0x0000023AC66F0000-0x0000023AC6710000-memory.dmp
memory/2608-4-0x0000023AC66D0000-0x0000023AC66F0000-memory.dmp
memory/2608-5-0x0000023AC66F0000-0x0000023AC6710000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
304s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 3164 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 2128 wrote to memory of 3164 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/3164-0-0x00000298C14A0000-0x00000298C14C0000-memory.dmp
memory/3164-1-0x00000298C2E90000-0x00000298C2EB0000-memory.dmp
memory/3164-2-0x00000298C2EB0000-0x00000298C2ED0000-memory.dmp
memory/3164-3-0x00000298C2EE0000-0x00000298C2F00000-memory.dmp
memory/3164-5-0x00000298C2EE0000-0x00000298C2F00000-memory.dmp
memory/3164-4-0x00000298C2EB0000-0x00000298C2ED0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
153s
Max time network
310s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1228 wrote to memory of 624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1228 wrote to memory of 624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/624-0-0x000002912A580000-0x000002912A5A0000-memory.dmp
memory/624-1-0x00000291BC710000-0x00000291BC730000-memory.dmp
memory/624-2-0x00000291BCB50000-0x00000291BCB70000-memory.dmp
memory/624-3-0x00000291BCD80000-0x00000291BCDA0000-memory.dmp
memory/624-5-0x00000291BCD80000-0x00000291BCDA0000-memory.dmp
memory/624-4-0x00000291BCB50000-0x00000291BCB70000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
91s
Max time network
262s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 960 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 5008 wrote to memory of 960 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/960-0-0x000001CAE72D0000-0x000001CAE72F0000-memory.dmp
memory/960-1-0x000001CAE7310000-0x000001CAE7330000-memory.dmp
memory/960-3-0x000001CAE7330000-0x000001CAE7350000-memory.dmp
memory/960-2-0x000001CAE7350000-0x000001CAE7370000-memory.dmp
memory/960-4-0x000001CAE7350000-0x000001CAE7370000-memory.dmp
memory/960-5-0x000001CAE7330000-0x000001CAE7350000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
182s
Max time network
305s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3184 wrote to memory of 4816 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3184 wrote to memory of 4816 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/4816-0-0x000001D22FC80000-0x000001D22FCA0000-memory.dmp
memory/4816-1-0x000001D22FDD0000-0x000001D22FDF0000-memory.dmp
memory/4816-3-0x000001D22FE20000-0x000001D22FE40000-memory.dmp
memory/4816-2-0x000001D22FE00000-0x000001D22FE20000-memory.dmp
memory/4816-5-0x000001D22FE20000-0x000001D22FE40000-memory.dmp
memory/4816-4-0x000001D22FE00000-0x000001D22FE20000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
90s
Max time network
315s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 2160 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3436 wrote to memory of 2160 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/2160-0-0x0000020392AF0000-0x0000020392B10000-memory.dmp
memory/2160-1-0x0000020392B40000-0x0000020392B60000-memory.dmp
memory/2160-2-0x0000020392B60000-0x0000020392B80000-memory.dmp
memory/2160-3-0x0000020392B80000-0x0000020392BA0000-memory.dmp
memory/2160-4-0x0000020392B60000-0x0000020392B80000-memory.dmp
memory/2160-5-0x0000020392B80000-0x0000020392BA0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
292s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 4804 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1604 wrote to memory of 4804 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.103.156.88:443 | tcp | |
| SE | 192.229.221.95:80 | tcp |
Files
memory/4804-0-0x000001220AB00000-0x000001220AB20000-memory.dmp
memory/4804-1-0x000001220C3F0000-0x000001220C410000-memory.dmp
memory/4804-2-0x000001220C430000-0x000001220C450000-memory.dmp
memory/4804-3-0x000001220C410000-0x000001220C430000-memory.dmp
memory/4804-5-0x000001220C410000-0x000001220C430000-memory.dmp
memory/4804-4-0x000001220C430000-0x000001220C450000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
212s
Max time network
285s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 1504 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1328 wrote to memory of 1504 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/1504-0-0x0000020BD1F20000-0x0000020BD1F40000-memory.dmp
memory/1504-1-0x0000020BD1F70000-0x0000020BD1F90000-memory.dmp
memory/1504-3-0x0000020BD1F90000-0x0000020BD1FB0000-memory.dmp
memory/1504-2-0x0000020BD20D0000-0x0000020BD20F0000-memory.dmp
memory/1504-4-0x0000020BD20D0000-0x0000020BD20F0000-memory.dmp
memory/1504-5-0x0000020BD1F90000-0x0000020BD1FB0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
90s
Max time network
290s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 712 wrote to memory of 3928 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 712 wrote to memory of 3928 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/3928-0-0x0000022B3A380000-0x0000022B3A3A0000-memory.dmp
memory/3928-1-0x0000022B3BCB0000-0x0000022B3BCD0000-memory.dmp
memory/3928-2-0x0000022B3BCD0000-0x0000022B3BCF0000-memory.dmp
memory/3928-3-0x0000022B3BD00000-0x0000022B3BD20000-memory.dmp
memory/3928-4-0x0000022B3BCD0000-0x0000022B3BCF0000-memory.dmp
memory/3928-5-0x0000022B3BD00000-0x0000022B3BD20000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
90s
Max time network
272s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 3572 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 1160 wrote to memory of 3572 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/3572-0-0x0000022E731B0000-0x0000022E731D0000-memory.dmp
memory/3572-1-0x0000022E73200000-0x0000022E73220000-memory.dmp
memory/3572-2-0x0000022F05780000-0x0000022F057A0000-memory.dmp
memory/3572-3-0x0000022F059B0000-0x0000022F059D0000-memory.dmp
memory/3572-5-0x0000022F059B0000-0x0000022F059D0000-memory.dmp
memory/3572-4-0x0000022F05780000-0x0000022F057A0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
146s
Max time network
292s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4336 wrote to memory of 2964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 4336 wrote to memory of 2964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
Files
memory/2964-0-0x00000250D7BB0000-0x00000250D7BD0000-memory.dmp
memory/2964-1-0x00000250D7C50000-0x00000250D7C70000-memory.dmp
memory/2964-2-0x00000250D7C70000-0x00000250D7C90000-memory.dmp
memory/2964-3-0x00000250D7C90000-0x00000250D7CB0000-memory.dmp
memory/2964-4-0x00000250D7C70000-0x00000250D7C90000-memory.dmp
memory/2964-5-0x00000250D7C90000-0x00000250D7CB0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
264s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5048 wrote to memory of 4996 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 5048 wrote to memory of 4996 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4996-0-0x0000018805590000-0x00000188055B0000-memory.dmp
memory/4996-1-0x0000018806E90000-0x0000018806EB0000-memory.dmp
memory/4996-2-0x0000018806ED0000-0x0000018806EF0000-memory.dmp
memory/4996-3-0x0000018806EB0000-0x0000018806ED0000-memory.dmp
memory/4996-4-0x0000018806ED0000-0x0000018806EF0000-memory.dmp
memory/4996-5-0x0000018806EB0000-0x0000018806ED0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
153s
Max time network
290s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/1676-0-0x0000017D99C00000-0x0000017D99C20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win11-20241007-en
Max time kernel
92s
Max time network
209s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1380-0-0x000002AD79C40000-0x000002AD79C60000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-26 02:27
Reported
2024-10-26 02:33
Platform
win10ltsc2021-20241023-en
Max time kernel
299s
Max time network
290s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 4316 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
| PID 3436 wrote to memory of 4316 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5332 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4316-0-0x00000212EB010000-0x00000212EB030000-memory.dmp
memory/4316-1-0x00000212EB060000-0x00000212EB080000-memory.dmp
memory/4316-2-0x00000212EB080000-0x00000212EB0A0000-memory.dmp
memory/4316-3-0x00000212EB0A0000-0x00000212EB0C0000-memory.dmp
memory/4316-4-0x00000212EB080000-0x00000212EB0A0000-memory.dmp
memory/4316-5-0x00000212EB0A0000-0x00000212EB0C0000-memory.dmp