Malware Analysis Report

2025-08-06 02:11

Sample ID 241026-d92qcs1ajk
Target PUB2.rar
SHA256 8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e

Threat Level: Known bad

The file PUB2.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

Xmrig family

XMRig Miner payload

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-26 03:43

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1057s

Max time network

1199s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1412 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/4092-0-0x0000025484F10000-0x0000025484F30000-memory.dmp

memory/4092-1-0x00000255170B0000-0x00000255170D0000-memory.dmp

memory/4092-3-0x0000025517720000-0x0000025517740000-memory.dmp

memory/4092-2-0x0000025517700000-0x0000025517720000-memory.dmp

memory/4092-5-0x0000025517720000-0x0000025517740000-memory.dmp

memory/4092-4-0x0000025517700000-0x0000025517720000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:29

Platform

win11-20241007-en

Max time kernel

445s

Max time network

1198s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4476 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp

Files

memory/4116-0-0x00000139EBE50000-0x00000139EBE70000-memory.dmp

memory/4116-1-0x00000139EBEA0000-0x00000139EBEC0000-memory.dmp

memory/4116-3-0x00000139EBEE0000-0x00000139EBF00000-memory.dmp

memory/4116-2-0x00000139EBEC0000-0x00000139EBEE0000-memory.dmp

memory/4116-4-0x00000139EBEC0000-0x00000139EBEE0000-memory.dmp

memory/4116-5-0x00000139EBEE0000-0x00000139EBF00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:12

Platform

win11-20241007-en

Max time kernel

438s

Max time network

1206s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4292 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp

Files

memory/3112-0-0x0000022FC2910000-0x0000022FC2930000-memory.dmp

memory/3112-1-0x0000023054AD0000-0x0000023054AF0000-memory.dmp

memory/3112-2-0x0000023055140000-0x0000023055160000-memory.dmp

memory/3112-3-0x0000023054F10000-0x0000023054F30000-memory.dmp

memory/3112-5-0x0000023054F10000-0x0000023054F30000-memory.dmp

memory/3112-4-0x0000023055140000-0x0000023055160000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1098s

Max time network

1185s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4976 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2660-0-0x00000176FDEC0000-0x00000176FDEE0000-memory.dmp

memory/2660-1-0x00000176FE020000-0x00000176FE040000-memory.dmp

memory/2660-2-0x00000176FE040000-0x00000176FE060000-memory.dmp

memory/2660-3-0x00000176FE060000-0x00000176FE080000-memory.dmp

memory/2660-4-0x00000176FE040000-0x00000176FE060000-memory.dmp

memory/2660-5-0x00000176FE060000-0x00000176FE080000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1010s

Max time network

1183s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3856 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/3512-0-0x000001DDE4BF0000-0x000001DDE4C10000-memory.dmp

memory/3512-1-0x000001DDE66B0000-0x000001DDE66D0000-memory.dmp

memory/3512-2-0x000001DDE66D0000-0x000001DDE66F0000-memory.dmp

memory/3512-3-0x000001DE78D60000-0x000001DE78D80000-memory.dmp

memory/3512-4-0x000001DDE66D0000-0x000001DDE66F0000-memory.dmp

memory/3512-5-0x000001DE78D60000-0x000001DE78D80000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1010s

Max time network

1181s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3356 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4852-0-0x0000011CB05D0000-0x0000011CB05F0000-memory.dmp

memory/4852-1-0x0000011CB0620000-0x0000011CB0640000-memory.dmp

memory/4852-2-0x0000011CB0640000-0x0000011CB0660000-memory.dmp

memory/4852-3-0x0000011CB0660000-0x0000011CB0680000-memory.dmp

memory/4852-5-0x0000011CB0660000-0x0000011CB0680000-memory.dmp

memory/4852-4-0x0000011CB0640000-0x0000011CB0660000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1160s

Max time network

1174s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1932 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4860-0-0x000002C8D09E0000-0x000002C8D0A00000-memory.dmp

memory/4860-1-0x000002C8D0A20000-0x000002C8D0A40000-memory.dmp

memory/4860-3-0x000002C8D0B80000-0x000002C8D0BA0000-memory.dmp

memory/4860-2-0x000002C8D0A40000-0x000002C8D0A60000-memory.dmp

memory/4860-4-0x000002C8D0A40000-0x000002C8D0A60000-memory.dmp

memory/4860-5-0x000002C8D0B80000-0x000002C8D0BA0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:12

Platform

win11-20241007-en

Max time kernel

1117s

Max time network

906s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/740-0-0x000001DCC74C0000-0x000001DCC74E0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

439s

Max time network

1189s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1100 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/3624-0-0x00000234AC380000-0x00000234AC3A0000-memory.dmp

memory/3624-1-0x00000234AC420000-0x00000234AC440000-memory.dmp

memory/3624-2-0x000002353E990000-0x000002353E9B0000-memory.dmp

memory/3624-3-0x000002353EBC0000-0x000002353EBE0000-memory.dmp

memory/3624-4-0x000002353E990000-0x000002353E9B0000-memory.dmp

memory/3624-5-0x000002353EBC0000-0x000002353EBE0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

729s

Max time network

1180s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 2820 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3236-0-0x000001F4CAFA0000-0x000001F4CAFC0000-memory.dmp

memory/3236-1-0x000001F4CC8D0000-0x000001F4CC8F0000-memory.dmp

memory/3236-3-0x000001F4CC910000-0x000001F4CC930000-memory.dmp

memory/3236-2-0x000001F4CC8F0000-0x000001F4CC910000-memory.dmp

memory/3236-5-0x000001F4CC910000-0x000001F4CC930000-memory.dmp

memory/3236-4-0x000001F4CC8F0000-0x000001F4CC910000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1010s

Max time network

1173s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4752 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/3708-0-0x00000195759B0000-0x00000195759D0000-memory.dmp

memory/3708-1-0x0000019575B10000-0x0000019575B30000-memory.dmp

memory/3708-3-0x00000196081C0000-0x00000196081E0000-memory.dmp

memory/3708-2-0x0000019575B30000-0x0000019575B50000-memory.dmp

memory/3708-5-0x00000196081C0000-0x00000196081E0000-memory.dmp

memory/3708-4-0x0000019575B30000-0x0000019575B50000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

1053s

Max time network

1186s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 236 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 236 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/3968-0-0x0000026D451E0000-0x0000026D45200000-memory.dmp

memory/3968-1-0x0000026DD7370000-0x0000026DD7390000-memory.dmp

memory/3968-2-0x0000026DD79C0000-0x0000026DD79E0000-memory.dmp

memory/3968-3-0x0000026DD79E0000-0x0000026DD7A00000-memory.dmp

memory/3968-4-0x0000026DD79C0000-0x0000026DD79E0000-memory.dmp

memory/3968-5-0x0000026DD79E0000-0x0000026DD7A00000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

727s

Max time network

1154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5404 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 5404 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp

Files

memory/848-0-0x0000017BBA3C0000-0x0000017BBA3E0000-memory.dmp

memory/848-1-0x0000017BBBDB0000-0x0000017BBBDD0000-memory.dmp

memory/848-2-0x0000017BBBDD0000-0x0000017BBBDF0000-memory.dmp

memory/848-3-0x0000017BBBE10000-0x0000017BBBE30000-memory.dmp

memory/848-5-0x0000017BBBE10000-0x0000017BBBE30000-memory.dmp

memory/848-4-0x0000017BBBDD0000-0x0000017BBBDF0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-26 03:43

Reported

2024-10-26 04:21

Platform

win11-20241007-en

Max time kernel

436s

Max time network

1157s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3944 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4612-0-0x00000299C2120000-0x00000299C2140000-memory.dmp

memory/4612-1-0x00000299C2160000-0x00000299C2180000-memory.dmp

memory/4612-3-0x00000299C21A0000-0x00000299C21C0000-memory.dmp

memory/4612-2-0x00000299C2180000-0x00000299C21A0000-memory.dmp

memory/4612-4-0x00000299C2180000-0x00000299C21A0000-memory.dmp

memory/4612-5-0x00000299C21A0000-0x00000299C21C0000-memory.dmp