Malware Analysis Report

2025-08-10 14:50

Sample ID 241026-cxhahswjdm
Target PUB.rar
SHA256 5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017

Threat Level: Known bad

The file PUB.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-26 02:27

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

294s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1484 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3092-0-0x000001F6894B0000-0x000001F6894D0000-memory.dmp

memory/3092-1-0x00007FF9292C0000-0x00007FF929369000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

298s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2176 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/4524-0-0x0000017FD87E0000-0x0000017FD8800000-memory.dmp

memory/4524-1-0x000001806A970000-0x000001806A990000-memory.dmp

memory/4524-2-0x000001806ADB0000-0x000001806ADD0000-memory.dmp

memory/4524-3-0x000001806AFE0000-0x000001806B000000-memory.dmp

memory/4524-4-0x000001806ADB0000-0x000001806ADD0000-memory.dmp

memory/4524-5-0x000001806AFE0000-0x000001806B000000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

281s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2716 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/444-0-0x000001BD570A0000-0x000001BD570C0000-memory.dmp

memory/444-1-0x000001BD57100000-0x000001BD57120000-memory.dmp

memory/444-2-0x000001BD57120000-0x000001BD57140000-memory.dmp

memory/444-3-0x000001BD57140000-0x000001BD57160000-memory.dmp

memory/444-5-0x000001BD57140000-0x000001BD57160000-memory.dmp

memory/444-4-0x000001BD57120000-0x000001BD57140000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

147s

Max time network

292s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1416 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/4568-0-0x00000183FC310000-0x00000183FC330000-memory.dmp

memory/4568-1-0x00000183FC350000-0x00000183FC370000-memory.dmp

memory/4568-2-0x00000183FC370000-0x00000183FC390000-memory.dmp

memory/4568-3-0x00000183FC4A0000-0x00000183FC4C0000-memory.dmp

memory/4568-5-0x00000183FC4A0000-0x00000183FC4C0000-memory.dmp

memory/4568-4-0x00000183FC370000-0x00000183FC390000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

290s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 960 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1768-0-0x000001794F2E0000-0x000001794F300000-memory.dmp

memory/1768-1-0x0000017950BE0000-0x0000017950C00000-memory.dmp

memory/1768-2-0x0000017950C00000-0x0000017950C20000-memory.dmp

memory/1768-3-0x0000017950C20000-0x0000017950C40000-memory.dmp

memory/1768-4-0x0000017950C00000-0x0000017950C20000-memory.dmp

memory/1768-5-0x0000017950C20000-0x0000017950C40000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

211s

Max time network

288s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1856 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/3428-0-0x000001F90B200000-0x000001F90B220000-memory.dmp

memory/3428-1-0x000001F90B350000-0x000001F90B370000-memory.dmp

memory/3428-2-0x000001F90B370000-0x000001F90B390000-memory.dmp

memory/3428-3-0x000001F99DA10000-0x000001F99DA30000-memory.dmp

memory/3428-5-0x000001F99DA10000-0x000001F99DA30000-memory.dmp

memory/3428-4-0x000001F90B370000-0x000001F90B390000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

92s

Max time network

255s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 816 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/1904-0-0x0000029FCFC40000-0x0000029FCFC60000-memory.dmp

memory/1904-1-0x0000029FCFDB0000-0x0000029FCFDD0000-memory.dmp

memory/1904-3-0x000002A062220000-0x000002A062240000-memory.dmp

memory/1904-2-0x000002A062450000-0x000002A062470000-memory.dmp

memory/1904-5-0x000002A062220000-0x000002A062240000-memory.dmp

memory/1904-4-0x000002A062450000-0x000002A062470000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

153s

Max time network

286s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2596 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/2608-0-0x0000023AC4D70000-0x0000023AC4D90000-memory.dmp

memory/2608-1-0x0000023AC66B0000-0x0000023AC66D0000-memory.dmp

memory/2608-2-0x0000023AC66D0000-0x0000023AC66F0000-memory.dmp

memory/2608-3-0x0000023AC66F0000-0x0000023AC6710000-memory.dmp

memory/2608-4-0x0000023AC66D0000-0x0000023AC66F0000-memory.dmp

memory/2608-5-0x0000023AC66F0000-0x0000023AC6710000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

304s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2128 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp

Files

memory/3164-0-0x00000298C14A0000-0x00000298C14C0000-memory.dmp

memory/3164-1-0x00000298C2E90000-0x00000298C2EB0000-memory.dmp

memory/3164-2-0x00000298C2EB0000-0x00000298C2ED0000-memory.dmp

memory/3164-3-0x00000298C2EE0000-0x00000298C2F00000-memory.dmp

memory/3164-5-0x00000298C2EE0000-0x00000298C2F00000-memory.dmp

memory/3164-4-0x00000298C2EB0000-0x00000298C2ED0000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

153s

Max time network

310s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1228 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/624-0-0x000002912A580000-0x000002912A5A0000-memory.dmp

memory/624-1-0x00000291BC710000-0x00000291BC730000-memory.dmp

memory/624-2-0x00000291BCB50000-0x00000291BCB70000-memory.dmp

memory/624-3-0x00000291BCD80000-0x00000291BCDA0000-memory.dmp

memory/624-5-0x00000291BCD80000-0x00000291BCDA0000-memory.dmp

memory/624-4-0x00000291BCB50000-0x00000291BCB70000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

91s

Max time network

262s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 5008 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/960-0-0x000001CAE72D0000-0x000001CAE72F0000-memory.dmp

memory/960-1-0x000001CAE7310000-0x000001CAE7330000-memory.dmp

memory/960-3-0x000001CAE7330000-0x000001CAE7350000-memory.dmp

memory/960-2-0x000001CAE7350000-0x000001CAE7370000-memory.dmp

memory/960-4-0x000001CAE7350000-0x000001CAE7370000-memory.dmp

memory/960-5-0x000001CAE7330000-0x000001CAE7350000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

182s

Max time network

305s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3184 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp

Files

memory/4816-0-0x000001D22FC80000-0x000001D22FCA0000-memory.dmp

memory/4816-1-0x000001D22FDD0000-0x000001D22FDF0000-memory.dmp

memory/4816-3-0x000001D22FE20000-0x000001D22FE40000-memory.dmp

memory/4816-2-0x000001D22FE00000-0x000001D22FE20000-memory.dmp

memory/4816-5-0x000001D22FE20000-0x000001D22FE40000-memory.dmp

memory/4816-4-0x000001D22FE00000-0x000001D22FE20000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

90s

Max time network

315s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3436 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/2160-0-0x0000020392AF0000-0x0000020392B10000-memory.dmp

memory/2160-1-0x0000020392B40000-0x0000020392B60000-memory.dmp

memory/2160-2-0x0000020392B60000-0x0000020392B80000-memory.dmp

memory/2160-3-0x0000020392B80000-0x0000020392BA0000-memory.dmp

memory/2160-4-0x0000020392B60000-0x0000020392B80000-memory.dmp

memory/2160-5-0x0000020392B80000-0x0000020392BA0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

292s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1604 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.103.156.88:443 tcp
SE 192.229.221.95:80 tcp

Files

memory/4804-0-0x000001220AB00000-0x000001220AB20000-memory.dmp

memory/4804-1-0x000001220C3F0000-0x000001220C410000-memory.dmp

memory/4804-2-0x000001220C430000-0x000001220C450000-memory.dmp

memory/4804-3-0x000001220C410000-0x000001220C430000-memory.dmp

memory/4804-5-0x000001220C410000-0x000001220C430000-memory.dmp

memory/4804-4-0x000001220C430000-0x000001220C450000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

212s

Max time network

285s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1328 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/1504-0-0x0000020BD1F20000-0x0000020BD1F40000-memory.dmp

memory/1504-1-0x0000020BD1F70000-0x0000020BD1F90000-memory.dmp

memory/1504-3-0x0000020BD1F90000-0x0000020BD1FB0000-memory.dmp

memory/1504-2-0x0000020BD20D0000-0x0000020BD20F0000-memory.dmp

memory/1504-4-0x0000020BD20D0000-0x0000020BD20F0000-memory.dmp

memory/1504-5-0x0000020BD1F90000-0x0000020BD1FB0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

90s

Max time network

290s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 712 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/3928-0-0x0000022B3A380000-0x0000022B3A3A0000-memory.dmp

memory/3928-1-0x0000022B3BCB0000-0x0000022B3BCD0000-memory.dmp

memory/3928-2-0x0000022B3BCD0000-0x0000022B3BCF0000-memory.dmp

memory/3928-3-0x0000022B3BD00000-0x0000022B3BD20000-memory.dmp

memory/3928-4-0x0000022B3BCD0000-0x0000022B3BCF0000-memory.dmp

memory/3928-5-0x0000022B3BD00000-0x0000022B3BD20000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

90s

Max time network

272s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1160 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/3572-0-0x0000022E731B0000-0x0000022E731D0000-memory.dmp

memory/3572-1-0x0000022E73200000-0x0000022E73220000-memory.dmp

memory/3572-2-0x0000022F05780000-0x0000022F057A0000-memory.dmp

memory/3572-3-0x0000022F059B0000-0x0000022F059D0000-memory.dmp

memory/3572-5-0x0000022F059B0000-0x0000022F059D0000-memory.dmp

memory/3572-4-0x0000022F05780000-0x0000022F057A0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

146s

Max time network

292s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4336 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp

Files

memory/2964-0-0x00000250D7BB0000-0x00000250D7BD0000-memory.dmp

memory/2964-1-0x00000250D7C50000-0x00000250D7C70000-memory.dmp

memory/2964-2-0x00000250D7C70000-0x00000250D7C90000-memory.dmp

memory/2964-3-0x00000250D7C90000-0x00000250D7CB0000-memory.dmp

memory/2964-4-0x00000250D7C70000-0x00000250D7C90000-memory.dmp

memory/2964-5-0x00000250D7C90000-0x00000250D7CB0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

264s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 5048 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4996-0-0x0000018805590000-0x00000188055B0000-memory.dmp

memory/4996-1-0x0000018806E90000-0x0000018806EB0000-memory.dmp

memory/4996-2-0x0000018806ED0000-0x0000018806EF0000-memory.dmp

memory/4996-3-0x0000018806EB0000-0x0000018806ED0000-memory.dmp

memory/4996-4-0x0000018806ED0000-0x0000018806EF0000-memory.dmp

memory/4996-5-0x0000018806EB0000-0x0000018806ED0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

153s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1676-0-0x0000017D99C00000-0x0000017D99C20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win11-20241007-en

Max time kernel

92s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1380-0-0x000002AD79C40000-0x000002AD79C60000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-26 02:27

Reported

2024-10-26 02:33

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

290s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3436 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4316-0-0x00000212EB010000-0x00000212EB030000-memory.dmp

memory/4316-1-0x00000212EB060000-0x00000212EB080000-memory.dmp

memory/4316-2-0x00000212EB080000-0x00000212EB0A0000-memory.dmp

memory/4316-3-0x00000212EB0A0000-0x00000212EB0C0000-memory.dmp

memory/4316-4-0x00000212EB080000-0x00000212EB0A0000-memory.dmp

memory/4316-5-0x00000212EB0A0000-0x00000212EB0C0000-memory.dmp