Analysis Overview
SHA256
8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Threat Level: Known bad
The file PUB2.rar was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 03:43
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1057s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 4092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1412 wrote to memory of 4092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/4092-0-0x0000025484F10000-0x0000025484F30000-memory.dmp
memory/4092-1-0x00000255170B0000-0x00000255170D0000-memory.dmp
memory/4092-3-0x0000025517720000-0x0000025517740000-memory.dmp
memory/4092-2-0x0000025517700000-0x0000025517720000-memory.dmp
memory/4092-5-0x0000025517720000-0x0000025517740000-memory.dmp
memory/4092-4-0x0000025517700000-0x0000025517720000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:29
Platform
win11-20241007-en
Max time kernel
445s
Max time network
1198s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4476 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/4116-0-0x00000139EBE50000-0x00000139EBE70000-memory.dmp
memory/4116-1-0x00000139EBEA0000-0x00000139EBEC0000-memory.dmp
memory/4116-3-0x00000139EBEE0000-0x00000139EBF00000-memory.dmp
memory/4116-2-0x00000139EBEC0000-0x00000139EBEE0000-memory.dmp
memory/4116-4-0x00000139EBEC0000-0x00000139EBEE0000-memory.dmp
memory/4116-5-0x00000139EBEE0000-0x00000139EBF00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:12
Platform
win11-20241007-en
Max time kernel
438s
Max time network
1206s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4292 wrote to memory of 3112 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4292 wrote to memory of 3112 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/3112-0-0x0000022FC2910000-0x0000022FC2930000-memory.dmp
memory/3112-1-0x0000023054AD0000-0x0000023054AF0000-memory.dmp
memory/3112-2-0x0000023055140000-0x0000023055160000-memory.dmp
memory/3112-3-0x0000023054F10000-0x0000023054F30000-memory.dmp
memory/3112-5-0x0000023054F10000-0x0000023054F30000-memory.dmp
memory/3112-4-0x0000023055140000-0x0000023055160000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1098s
Max time network
1185s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4976 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4976 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2660-0-0x00000176FDEC0000-0x00000176FDEE0000-memory.dmp
memory/2660-1-0x00000176FE020000-0x00000176FE040000-memory.dmp
memory/2660-2-0x00000176FE040000-0x00000176FE060000-memory.dmp
memory/2660-3-0x00000176FE060000-0x00000176FE080000-memory.dmp
memory/2660-4-0x00000176FE040000-0x00000176FE060000-memory.dmp
memory/2660-5-0x00000176FE060000-0x00000176FE080000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1010s
Max time network
1183s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3856 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3856 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/3512-0-0x000001DDE4BF0000-0x000001DDE4C10000-memory.dmp
memory/3512-1-0x000001DDE66B0000-0x000001DDE66D0000-memory.dmp
memory/3512-2-0x000001DDE66D0000-0x000001DDE66F0000-memory.dmp
memory/3512-3-0x000001DE78D60000-0x000001DE78D80000-memory.dmp
memory/3512-4-0x000001DDE66D0000-0x000001DDE66F0000-memory.dmp
memory/3512-5-0x000001DE78D60000-0x000001DE78D80000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1010s
Max time network
1181s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 4852 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3356 wrote to memory of 4852 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4852-0-0x0000011CB05D0000-0x0000011CB05F0000-memory.dmp
memory/4852-1-0x0000011CB0620000-0x0000011CB0640000-memory.dmp
memory/4852-2-0x0000011CB0640000-0x0000011CB0660000-memory.dmp
memory/4852-3-0x0000011CB0660000-0x0000011CB0680000-memory.dmp
memory/4852-5-0x0000011CB0660000-0x0000011CB0680000-memory.dmp
memory/4852-4-0x0000011CB0640000-0x0000011CB0660000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1160s
Max time network
1174s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 4860 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1932 wrote to memory of 4860 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4860-0-0x000002C8D09E0000-0x000002C8D0A00000-memory.dmp
memory/4860-1-0x000002C8D0A20000-0x000002C8D0A40000-memory.dmp
memory/4860-3-0x000002C8D0B80000-0x000002C8D0BA0000-memory.dmp
memory/4860-2-0x000002C8D0A40000-0x000002C8D0A60000-memory.dmp
memory/4860-4-0x000002C8D0A40000-0x000002C8D0A60000-memory.dmp
memory/4860-5-0x000002C8D0B80000-0x000002C8D0BA0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:12
Platform
win11-20241007-en
Max time kernel
1117s
Max time network
906s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/740-0-0x000001DCC74C0000-0x000001DCC74E0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
439s
Max time network
1189s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 3624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1100 wrote to memory of 3624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/3624-0-0x00000234AC380000-0x00000234AC3A0000-memory.dmp
memory/3624-1-0x00000234AC420000-0x00000234AC440000-memory.dmp
memory/3624-2-0x000002353E990000-0x000002353E9B0000-memory.dmp
memory/3624-3-0x000002353EBC0000-0x000002353EBE0000-memory.dmp
memory/3624-4-0x000002353E990000-0x000002353E9B0000-memory.dmp
memory/3624-5-0x000002353EBC0000-0x000002353EBE0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
729s
Max time network
1180s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 3236 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 2820 wrote to memory of 3236 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3236-0-0x000001F4CAFA0000-0x000001F4CAFC0000-memory.dmp
memory/3236-1-0x000001F4CC8D0000-0x000001F4CC8F0000-memory.dmp
memory/3236-3-0x000001F4CC910000-0x000001F4CC930000-memory.dmp
memory/3236-2-0x000001F4CC8F0000-0x000001F4CC910000-memory.dmp
memory/3236-5-0x000001F4CC910000-0x000001F4CC930000-memory.dmp
memory/3236-4-0x000001F4CC8F0000-0x000001F4CC910000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1010s
Max time network
1173s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4752 wrote to memory of 3708 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4752 wrote to memory of 3708 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/3708-0-0x00000195759B0000-0x00000195759D0000-memory.dmp
memory/3708-1-0x0000019575B10000-0x0000019575B30000-memory.dmp
memory/3708-3-0x00000196081C0000-0x00000196081E0000-memory.dmp
memory/3708-2-0x0000019575B30000-0x0000019575B50000-memory.dmp
memory/3708-5-0x00000196081C0000-0x00000196081E0000-memory.dmp
memory/3708-4-0x0000019575B30000-0x0000019575B50000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
1053s
Max time network
1186s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 236 wrote to memory of 3968 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 236 wrote to memory of 3968 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/3968-0-0x0000026D451E0000-0x0000026D45200000-memory.dmp
memory/3968-1-0x0000026DD7370000-0x0000026DD7390000-memory.dmp
memory/3968-2-0x0000026DD79C0000-0x0000026DD79E0000-memory.dmp
memory/3968-3-0x0000026DD79E0000-0x0000026DD7A00000-memory.dmp
memory/3968-4-0x0000026DD79C0000-0x0000026DD79E0000-memory.dmp
memory/3968-5-0x0000026DD79E0000-0x0000026DD7A00000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
727s
Max time network
1154s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5404 wrote to memory of 848 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 5404 wrote to memory of 848 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/848-0-0x0000017BBA3C0000-0x0000017BBA3E0000-memory.dmp
memory/848-1-0x0000017BBBDB0000-0x0000017BBBDD0000-memory.dmp
memory/848-2-0x0000017BBBDD0000-0x0000017BBBDF0000-memory.dmp
memory/848-3-0x0000017BBBE10000-0x0000017BBBE30000-memory.dmp
memory/848-5-0x0000017BBBE10000-0x0000017BBBE30000-memory.dmp
memory/848-4-0x0000017BBBDD0000-0x0000017BBBDF0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-26 03:43
Reported
2024-10-26 04:21
Platform
win11-20241007-en
Max time kernel
436s
Max time network
1157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3944 wrote to memory of 4612 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3944 wrote to memory of 4612 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4612-0-0x00000299C2120000-0x00000299C2140000-memory.dmp
memory/4612-1-0x00000299C2160000-0x00000299C2180000-memory.dmp
memory/4612-3-0x00000299C21A0000-0x00000299C21C0000-memory.dmp
memory/4612-2-0x00000299C2180000-0x00000299C21A0000-memory.dmp
memory/4612-4-0x00000299C2180000-0x00000299C21A0000-memory.dmp
memory/4612-5-0x00000299C21A0000-0x00000299C21C0000-memory.dmp