Analysis Overview
SHA256
8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Threat Level: Known bad
The file PUB2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 15:13
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
1030s
Max time network
1184s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3696 wrote to memory of 5040 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3696 wrote to memory of 5040 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/5040-0-0x00000259F9870000-0x00000259F9890000-memory.dmp
memory/5040-1-0x00000259FB160000-0x00000259FB180000-memory.dmp
memory/5040-2-0x00000259FB180000-0x00000259FB1A0000-memory.dmp
memory/5040-3-0x00000259FB1A0000-0x00000259FB1C0000-memory.dmp
memory/5040-5-0x00000259FB1A0000-0x00000259FB1C0000-memory.dmp
memory/5040-4-0x00000259FB180000-0x00000259FB1A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
670s
Max time network
1181s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4088 wrote to memory of 3144 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4088 wrote to memory of 3144 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3144-0-0x00000217C9C20000-0x00000217C9C40000-memory.dmp
memory/3144-1-0x00000217C9C70000-0x00000217C9C90000-memory.dmp
memory/3144-2-0x000002185C420000-0x000002185C440000-memory.dmp
memory/3144-3-0x000002185C400000-0x000002185C420000-memory.dmp
memory/3144-4-0x000002185C420000-0x000002185C440000-memory.dmp
memory/3144-5-0x000002185C400000-0x000002185C420000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
1010s
Max time network
1164s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5108 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 5108 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2700-0-0x00000296707D0000-0x00000296707F0000-memory.dmp
memory/2700-1-0x0000029672290000-0x00000296722B0000-memory.dmp
memory/2700-2-0x00000296722B0000-0x00000296722D0000-memory.dmp
memory/2700-3-0x00000296722E0000-0x0000029672300000-memory.dmp
memory/2700-4-0x00000296722B0000-0x00000296722D0000-memory.dmp
memory/2700-5-0x00000296722E0000-0x0000029672300000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
426s
Max time network
1181s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5240 wrote to memory of 5568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 5240 wrote to memory of 5568 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/5568-0-0x0000018B40920000-0x0000018B40940000-memory.dmp
memory/5568-1-0x0000018B40A70000-0x0000018B40A90000-memory.dmp
memory/5568-2-0x0000018B40AB0000-0x0000018B40AD0000-memory.dmp
memory/5568-3-0x0000018B40AD0000-0x0000018B40AF0000-memory.dmp
memory/5568-4-0x0000018B40AB0000-0x0000018B40AD0000-memory.dmp
memory/5568-5-0x0000018B40AD0000-0x0000018B40AF0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:40
Platform
win11-20241007-en
Max time kernel
438s
Max time network
1187s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4004 wrote to memory of 640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4004 wrote to memory of 640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/640-0-0x0000028A3C190000-0x0000028A3C1B0000-memory.dmp
memory/640-1-0x0000028A3C1E0000-0x0000028A3C200000-memory.dmp
memory/640-2-0x0000028A3C210000-0x0000028A3C230000-memory.dmp
memory/640-3-0x0000028A3C230000-0x0000028A3C250000-memory.dmp
memory/640-4-0x0000028A3C210000-0x0000028A3C230000-memory.dmp
memory/640-5-0x0000028A3C230000-0x0000028A3C250000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:46
Platform
win11-20241007-en
Max time kernel
432s
Max time network
1183s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 924 wrote to memory of 1220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 924 wrote to memory of 1220 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/1220-0-0x0000020566E10000-0x0000020566E30000-memory.dmp
memory/1220-1-0x0000020568730000-0x0000020568750000-memory.dmp
memory/1220-3-0x0000020568770000-0x0000020568790000-memory.dmp
memory/1220-2-0x0000020568750000-0x0000020568770000-memory.dmp
memory/1220-4-0x0000020568750000-0x0000020568770000-memory.dmp
memory/1220-5-0x0000020568770000-0x0000020568790000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:46
Platform
win11-20241007-en
Max time kernel
434s
Max time network
1198s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 2984 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1240 wrote to memory of 2984 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2984-0-0x0000018E499E0000-0x0000018E49A00000-memory.dmp
memory/2984-1-0x0000018E49A30000-0x0000018E49A50000-memory.dmp
memory/2984-2-0x0000018E49B80000-0x0000018E49BA0000-memory.dmp
memory/2984-3-0x0000018E49B60000-0x0000018E49B80000-memory.dmp
memory/2984-5-0x0000018E49B60000-0x0000018E49B80000-memory.dmp
memory/2984-4-0x0000018E49B80000-0x0000018E49BA0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:53
Platform
win11-20241007-en
Max time kernel
432s
Max time network
1190s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 2780 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1608 wrote to memory of 2780 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2780-0-0x0000019B61F30000-0x0000019B61F50000-memory.dmp
memory/2780-1-0x0000019B61F80000-0x0000019B61FA0000-memory.dmp
memory/2780-3-0x0000019B61FC0000-0x0000019B61FE0000-memory.dmp
memory/2780-2-0x0000019B61FA0000-0x0000019B61FC0000-memory.dmp
memory/2780-4-0x0000019B61FA0000-0x0000019B61FC0000-memory.dmp
memory/2780-5-0x0000019B61FC0000-0x0000019B61FE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
441s
Max time network
1160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/928-0-0x00000198B7340000-0x00000198B7360000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:33
Platform
win11-20241007-en
Max time kernel
731s
Max time network
1157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 236 wrote to memory of 4408 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 236 wrote to memory of 4408 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/4408-0-0x00000143EC6E0000-0x00000143EC700000-memory.dmp
memory/4408-1-0x00000143EC880000-0x00000143EC8A0000-memory.dmp
memory/4408-2-0x00000143EC8C0000-0x00000143EC8E0000-memory.dmp
memory/4408-3-0x00000143EC8A0000-0x00000143EC8C0000-memory.dmp
memory/4408-5-0x00000143EC8A0000-0x00000143EC8C0000-memory.dmp
memory/4408-4-0x00000143EC8C0000-0x00000143EC8E0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:53
Platform
win11-20241007-en
Max time kernel
1010s
Max time network
1200s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2064 wrote to memory of 2500 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 2064 wrote to memory of 2500 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/2500-0-0x000001B93BEA0000-0x000001B93BEC0000-memory.dmp
memory/2500-1-0x000001B93BF40000-0x000001B93BF60000-memory.dmp
memory/2500-2-0x000001B93BF60000-0x000001B93BF80000-memory.dmp
memory/2500-3-0x000001B93BF80000-0x000001B93BFA0000-memory.dmp
memory/2500-5-0x000001B93BF80000-0x000001B93BFA0000-memory.dmp
memory/2500-4-0x000001B93BF60000-0x000001B93BF80000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:53
Platform
win11-20241007-en
Max time kernel
1052s
Max time network
1173s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 2980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4468 wrote to memory of 2980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
Files
memory/2980-0-0x000002A46A060000-0x000002A46A080000-memory.dmp
memory/2980-1-0x000002A46A0A0000-0x000002A46A0C0000-memory.dmp
memory/2980-3-0x000002A46A0E0000-0x000002A46A100000-memory.dmp
memory/2980-2-0x000002A46A0C0000-0x000002A46A0E0000-memory.dmp
memory/2980-5-0x000002A46A0E0000-0x000002A46A100000-memory.dmp
memory/2980-4-0x000002A46A0C0000-0x000002A46A0E0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:37
Platform
win11-20241007-en
Max time kernel
444s
Max time network
1185s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 240 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3796 wrote to memory of 240 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
Files
memory/240-0-0x00000171E2780000-0x00000171E27A0000-memory.dmp
memory/240-1-0x00000171E4180000-0x00000171E41A0000-memory.dmp
memory/240-2-0x00000171E41A0000-0x00000171E41C0000-memory.dmp
memory/240-3-0x00000171E41C0000-0x00000171E41E0000-memory.dmp
memory/240-5-0x00000171E41C0000-0x00000171E41E0000-memory.dmp
memory/240-4-0x00000171E41A0000-0x00000171E41C0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 15:13
Reported
2024-10-27 15:37
Platform
win11-20241023-en
Max time kernel
431s
Max time network
1188s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 4168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1252 wrote to memory of 4168 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
Files
memory/4168-0-0x00000203D4190000-0x00000203D41B0000-memory.dmp
memory/4168-1-0x00000203D41E0000-0x00000203D4200000-memory.dmp
memory/4168-3-0x00000203D4220000-0x00000203D4240000-memory.dmp
memory/4168-2-0x00000203D4200000-0x00000203D4220000-memory.dmp
memory/4168-4-0x00000203D4200000-0x00000203D4220000-memory.dmp
memory/4168-5-0x00000203D4220000-0x00000203D4240000-memory.dmp