Analysis Overview
SHA256
8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Threat Level: Known bad
The file PUB2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 07:40
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1462s
Max time network
1477s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2908-0-0x00000250E59D0000-0x00000250E59F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1674s
Max time network
1792s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 2432 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 2460 wrote to memory of 2432 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/2432-0-0x00000185E1800000-0x00000185E1820000-memory.dmp
memory/2432-1-0x00000185E1850000-0x00000185E1870000-memory.dmp
memory/2432-2-0x00000185E1890000-0x00000185E18B0000-memory.dmp
memory/2432-3-0x0000018674020000-0x0000018674040000-memory.dmp
memory/2432-4-0x00000185E1890000-0x00000185E18B0000-memory.dmp
memory/2432-5-0x0000018674020000-0x0000018674040000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1478s
Max time network
1805s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 628 wrote to memory of 1212 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 628 wrote to memory of 1212 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1212-0-0x000002BAD3050000-0x000002BAD3070000-memory.dmp
memory/1212-1-0x000002BAD3090000-0x000002BAD30B0000-memory.dmp
memory/1212-2-0x000002BAD30B0000-0x000002BAD30D0000-memory.dmp
memory/1212-3-0x000002BAD30F0000-0x000002BAD3110000-memory.dmp
memory/1212-5-0x000002BAD30F0000-0x000002BAD3110000-memory.dmp
memory/1212-4-0x000002BAD30B0000-0x000002BAD30D0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1637s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5728 wrote to memory of 5724 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 5728 wrote to memory of 5724 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/5724-0-0x000001D652660000-0x000001D652680000-memory.dmp
memory/5724-1-0x000001D6526B0000-0x000001D6526D0000-memory.dmp
memory/5724-3-0x000001D6526D0000-0x000001D6526F0000-memory.dmp
memory/5724-2-0x000001D6526F0000-0x000001D652710000-memory.dmp
memory/5724-4-0x000001D6526F0000-0x000001D652710000-memory.dmp
memory/5724-5-0x000001D6526D0000-0x000001D6526F0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1570s
Max time network
1796s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 32 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1104 wrote to memory of 32 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/32-0-0x000002BE73050000-0x000002BE73070000-memory.dmp
memory/32-1-0x000002BE730A0000-0x000002BE730C0000-memory.dmp
memory/32-3-0x000002BE730E0000-0x000002BE73100000-memory.dmp
memory/32-2-0x000002BE730C0000-0x000002BE730E0000-memory.dmp
memory/32-4-0x000002BE730C0000-0x000002BE730E0000-memory.dmp
memory/32-5-0x000002BE730E0000-0x000002BE73100000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1676s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1976 wrote to memory of 980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/980-0-0x000001BFAB320000-0x000001BFAB340000-memory.dmp
memory/980-1-0x000001BFAB380000-0x000001BFAB3A0000-memory.dmp
memory/980-2-0x000001BFAB3A0000-0x000001BFAB3C0000-memory.dmp
memory/980-3-0x000001C03DB40000-0x000001C03DB60000-memory.dmp
memory/980-4-0x000001BFAB3A0000-0x000001BFAB3C0000-memory.dmp
memory/980-5-0x000001C03DB40000-0x000001C03DB60000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1640s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4596 wrote to memory of 3860 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4596 wrote to memory of 3860 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/3860-0-0x0000028662FE0000-0x0000028663000000-memory.dmp
memory/3860-1-0x00000286648D0000-0x00000286648F0000-memory.dmp
memory/3860-2-0x00000286648F0000-0x0000028664910000-memory.dmp
memory/3860-3-0x0000028664920000-0x0000028664940000-memory.dmp
memory/3860-5-0x0000028664920000-0x0000028664940000-memory.dmp
memory/3860-4-0x00000286648F0000-0x0000028664910000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:10
Platform
win11-20241007-en
Max time kernel
1732s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 4128 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 224 wrote to memory of 4128 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4128-0-0x0000022670620000-0x0000022670640000-memory.dmp
memory/4128-1-0x00000227027B0000-0x00000227027D0000-memory.dmp
memory/4128-2-0x0000022702C00000-0x0000022702C20000-memory.dmp
memory/4128-3-0x0000022702E40000-0x0000022702E60000-memory.dmp
memory/4128-5-0x0000022702E40000-0x0000022702E60000-memory.dmp
memory/4128-4-0x0000022702C00000-0x0000022702C20000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1406s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1564 wrote to memory of 3000 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1564 wrote to memory of 3000 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3000-0-0x000001BB71B10000-0x000001BB71B30000-memory.dmp
memory/3000-1-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp
memory/3000-2-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp
memory/3000-3-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241023-en
Max time kernel
1630s
Max time network
1791s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 1648 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 2760 wrote to memory of 1648 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1648-0-0x000002677C6F0000-0x000002677C710000-memory.dmp
memory/1648-1-0x000002677E0F0000-0x000002677E110000-memory.dmp
memory/1648-2-0x000002677E110000-0x000002677E130000-memory.dmp
memory/1648-3-0x000002677E130000-0x000002677E150000-memory.dmp
memory/1648-4-0x000002677E110000-0x000002677E130000-memory.dmp
memory/1648-5-0x000002677E130000-0x000002677E150000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1490s
Max time network
1790s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 2168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4048 wrote to memory of 2168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
Files
memory/2168-0-0x0000022E218D0000-0x0000022E218F0000-memory.dmp
memory/2168-1-0x0000022E21A20000-0x0000022E21A40000-memory.dmp
memory/2168-2-0x0000022E21A40000-0x0000022E21A60000-memory.dmp
memory/2168-3-0x0000022EB40F0000-0x0000022EB4110000-memory.dmp
memory/2168-4-0x0000022E21A40000-0x0000022E21A60000-memory.dmp
memory/2168-5-0x0000022EB40F0000-0x0000022EB4110000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1639s
Max time network
1803s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3392 wrote to memory of 4608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3392 wrote to memory of 4608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4608-0-0x0000029369280000-0x00000293692A0000-memory.dmp
memory/4608-1-0x000002936ABB0000-0x000002936ABD0000-memory.dmp
memory/4608-2-0x000002936ABF0000-0x000002936AC10000-memory.dmp
memory/4608-3-0x000002936ABD0000-0x000002936ABF0000-memory.dmp
memory/4608-5-0x000002936ABD0000-0x000002936ABF0000-memory.dmp
memory/4608-4-0x000002936ABF0000-0x000002936AC10000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1503s
Max time network
1796s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 1932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3068 wrote to memory of 1932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1932-0-0x000001AB79620000-0x000001AB79640000-memory.dmp
memory/1932-1-0x000001AB79670000-0x000001AB79690000-memory.dmp
memory/1932-3-0x000001AB796B0000-0x000001AB796D0000-memory.dmp
memory/1932-2-0x000001AB79690000-0x000001AB796B0000-memory.dmp
memory/1932-4-0x000001AB79690000-0x000001AB796B0000-memory.dmp
memory/1932-5-0x000001AB796B0000-0x000001AB796D0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-26 07:40
Reported
2024-10-26 08:11
Platform
win11-20241007-en
Max time kernel
1770s
Max time network
1795s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 956 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4180 wrote to memory of 956 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/956-0-0x0000026C4ED80000-0x0000026C4EDA0000-memory.dmp
memory/956-1-0x0000026C50670000-0x0000026C50690000-memory.dmp
memory/956-2-0x0000026C50690000-0x0000026C506B0000-memory.dmp
memory/956-3-0x0000026C506B0000-0x0000026C506D0000-memory.dmp
memory/956-5-0x0000026C506B0000-0x0000026C506D0000-memory.dmp
memory/956-4-0x0000026C50690000-0x0000026C506B0000-memory.dmp