Malware Analysis Report

2025-08-10 14:41

Sample ID 241026-jhvqmazkfs
Target PUB2.rar
SHA256 8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e

Threat Level: Known bad

The file PUB2.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-26 07:40

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1462s

Max time network

1477s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2908-0-0x00000250E59D0000-0x00000250E59F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1674s

Max time network

1792s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 2460 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/2432-0-0x00000185E1800000-0x00000185E1820000-memory.dmp

memory/2432-1-0x00000185E1850000-0x00000185E1870000-memory.dmp

memory/2432-2-0x00000185E1890000-0x00000185E18B0000-memory.dmp

memory/2432-3-0x0000018674020000-0x0000018674040000-memory.dmp

memory/2432-4-0x00000185E1890000-0x00000185E18B0000-memory.dmp

memory/2432-5-0x0000018674020000-0x0000018674040000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1478s

Max time network

1805s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 628 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1212-0-0x000002BAD3050000-0x000002BAD3070000-memory.dmp

memory/1212-1-0x000002BAD3090000-0x000002BAD30B0000-memory.dmp

memory/1212-2-0x000002BAD30B0000-0x000002BAD30D0000-memory.dmp

memory/1212-3-0x000002BAD30F0000-0x000002BAD3110000-memory.dmp

memory/1212-5-0x000002BAD30F0000-0x000002BAD3110000-memory.dmp

memory/1212-4-0x000002BAD30B0000-0x000002BAD30D0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1637s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5728 wrote to memory of 5724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 5728 wrote to memory of 5724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp

Files

memory/5724-0-0x000001D652660000-0x000001D652680000-memory.dmp

memory/5724-1-0x000001D6526B0000-0x000001D6526D0000-memory.dmp

memory/5724-3-0x000001D6526D0000-0x000001D6526F0000-memory.dmp

memory/5724-2-0x000001D6526F0000-0x000001D652710000-memory.dmp

memory/5724-4-0x000001D6526F0000-0x000001D652710000-memory.dmp

memory/5724-5-0x000001D6526D0000-0x000001D6526F0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1570s

Max time network

1796s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1104 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/32-0-0x000002BE73050000-0x000002BE73070000-memory.dmp

memory/32-1-0x000002BE730A0000-0x000002BE730C0000-memory.dmp

memory/32-3-0x000002BE730E0000-0x000002BE73100000-memory.dmp

memory/32-2-0x000002BE730C0000-0x000002BE730E0000-memory.dmp

memory/32-4-0x000002BE730C0000-0x000002BE730E0000-memory.dmp

memory/32-5-0x000002BE730E0000-0x000002BE73100000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1676s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1976 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/980-0-0x000001BFAB320000-0x000001BFAB340000-memory.dmp

memory/980-1-0x000001BFAB380000-0x000001BFAB3A0000-memory.dmp

memory/980-2-0x000001BFAB3A0000-0x000001BFAB3C0000-memory.dmp

memory/980-3-0x000001C03DB40000-0x000001C03DB60000-memory.dmp

memory/980-4-0x000001BFAB3A0000-0x000001BFAB3C0000-memory.dmp

memory/980-5-0x000001C03DB40000-0x000001C03DB60000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1640s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4596 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/3860-0-0x0000028662FE0000-0x0000028663000000-memory.dmp

memory/3860-1-0x00000286648D0000-0x00000286648F0000-memory.dmp

memory/3860-2-0x00000286648F0000-0x0000028664910000-memory.dmp

memory/3860-3-0x0000028664920000-0x0000028664940000-memory.dmp

memory/3860-5-0x0000028664920000-0x0000028664940000-memory.dmp

memory/3860-4-0x00000286648F0000-0x0000028664910000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:10

Platform

win11-20241007-en

Max time kernel

1732s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 224 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4128-0-0x0000022670620000-0x0000022670640000-memory.dmp

memory/4128-1-0x00000227027B0000-0x00000227027D0000-memory.dmp

memory/4128-2-0x0000022702C00000-0x0000022702C20000-memory.dmp

memory/4128-3-0x0000022702E40000-0x0000022702E60000-memory.dmp

memory/4128-5-0x0000022702E40000-0x0000022702E60000-memory.dmp

memory/4128-4-0x0000022702C00000-0x0000022702C20000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1406s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1564 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3000-0-0x000001BB71B10000-0x000001BB71B30000-memory.dmp

memory/3000-1-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp

memory/3000-2-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp

memory/3000-3-0x00007FFC78AC0000-0x00007FFC78CC9000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241023-en

Max time kernel

1630s

Max time network

1791s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 2760 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1648-0-0x000002677C6F0000-0x000002677C710000-memory.dmp

memory/1648-1-0x000002677E0F0000-0x000002677E110000-memory.dmp

memory/1648-2-0x000002677E110000-0x000002677E130000-memory.dmp

memory/1648-3-0x000002677E130000-0x000002677E150000-memory.dmp

memory/1648-4-0x000002677E110000-0x000002677E130000-memory.dmp

memory/1648-5-0x000002677E130000-0x000002677E150000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1490s

Max time network

1790s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4048 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp

Files

memory/2168-0-0x0000022E218D0000-0x0000022E218F0000-memory.dmp

memory/2168-1-0x0000022E21A20000-0x0000022E21A40000-memory.dmp

memory/2168-2-0x0000022E21A40000-0x0000022E21A60000-memory.dmp

memory/2168-3-0x0000022EB40F0000-0x0000022EB4110000-memory.dmp

memory/2168-4-0x0000022E21A40000-0x0000022E21A60000-memory.dmp

memory/2168-5-0x0000022EB40F0000-0x0000022EB4110000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1639s

Max time network

1803s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3392 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4608-0-0x0000029369280000-0x00000293692A0000-memory.dmp

memory/4608-1-0x000002936ABB0000-0x000002936ABD0000-memory.dmp

memory/4608-2-0x000002936ABF0000-0x000002936AC10000-memory.dmp

memory/4608-3-0x000002936ABD0000-0x000002936ABF0000-memory.dmp

memory/4608-5-0x000002936ABD0000-0x000002936ABF0000-memory.dmp

memory/4608-4-0x000002936ABF0000-0x000002936AC10000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1503s

Max time network

1796s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3068 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1932-0-0x000001AB79620000-0x000001AB79640000-memory.dmp

memory/1932-1-0x000001AB79670000-0x000001AB79690000-memory.dmp

memory/1932-3-0x000001AB796B0000-0x000001AB796D0000-memory.dmp

memory/1932-2-0x000001AB79690000-0x000001AB796B0000-memory.dmp

memory/1932-4-0x000001AB79690000-0x000001AB796B0000-memory.dmp

memory/1932-5-0x000001AB796B0000-0x000001AB796D0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-26 07:40

Reported

2024-10-26 08:11

Platform

win11-20241007-en

Max time kernel

1770s

Max time network

1795s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4180 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/956-0-0x0000026C4ED80000-0x0000026C4EDA0000-memory.dmp

memory/956-1-0x0000026C50670000-0x0000026C50690000-memory.dmp

memory/956-2-0x0000026C50690000-0x0000026C506B0000-memory.dmp

memory/956-3-0x0000026C506B0000-0x0000026C506D0000-memory.dmp

memory/956-5-0x0000026C506B0000-0x0000026C506D0000-memory.dmp

memory/956-4-0x0000026C50690000-0x0000026C506B0000-memory.dmp