Malware Analysis Report

2025-08-05 11:14

Sample ID 241027-slxh3awqhs
Target PUB2.rar
SHA256 8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e

Threat Level: Known bad

The file PUB2.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 15:13

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

1030s

Max time network

1184s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3696 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/5040-0-0x00000259F9870000-0x00000259F9890000-memory.dmp

memory/5040-1-0x00000259FB160000-0x00000259FB180000-memory.dmp

memory/5040-2-0x00000259FB180000-0x00000259FB1A0000-memory.dmp

memory/5040-3-0x00000259FB1A0000-0x00000259FB1C0000-memory.dmp

memory/5040-5-0x00000259FB1A0000-0x00000259FB1C0000-memory.dmp

memory/5040-4-0x00000259FB180000-0x00000259FB1A0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

670s

Max time network

1181s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 3144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4088 wrote to memory of 3144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3144-0-0x00000217C9C20000-0x00000217C9C40000-memory.dmp

memory/3144-1-0x00000217C9C70000-0x00000217C9C90000-memory.dmp

memory/3144-2-0x000002185C420000-0x000002185C440000-memory.dmp

memory/3144-3-0x000002185C400000-0x000002185C420000-memory.dmp

memory/3144-4-0x000002185C420000-0x000002185C440000-memory.dmp

memory/3144-5-0x000002185C400000-0x000002185C420000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

1010s

Max time network

1164s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 5108 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2700-0-0x00000296707D0000-0x00000296707F0000-memory.dmp

memory/2700-1-0x0000029672290000-0x00000296722B0000-memory.dmp

memory/2700-2-0x00000296722B0000-0x00000296722D0000-memory.dmp

memory/2700-3-0x00000296722E0000-0x0000029672300000-memory.dmp

memory/2700-4-0x00000296722B0000-0x00000296722D0000-memory.dmp

memory/2700-5-0x00000296722E0000-0x0000029672300000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

426s

Max time network

1181s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5240 wrote to memory of 5568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 5240 wrote to memory of 5568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp

Files

memory/5568-0-0x0000018B40920000-0x0000018B40940000-memory.dmp

memory/5568-1-0x0000018B40A70000-0x0000018B40A90000-memory.dmp

memory/5568-2-0x0000018B40AB0000-0x0000018B40AD0000-memory.dmp

memory/5568-3-0x0000018B40AD0000-0x0000018B40AF0000-memory.dmp

memory/5568-4-0x0000018B40AB0000-0x0000018B40AD0000-memory.dmp

memory/5568-5-0x0000018B40AD0000-0x0000018B40AF0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:40

Platform

win11-20241007-en

Max time kernel

438s

Max time network

1187s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4004 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/640-0-0x0000028A3C190000-0x0000028A3C1B0000-memory.dmp

memory/640-1-0x0000028A3C1E0000-0x0000028A3C200000-memory.dmp

memory/640-2-0x0000028A3C210000-0x0000028A3C230000-memory.dmp

memory/640-3-0x0000028A3C230000-0x0000028A3C250000-memory.dmp

memory/640-4-0x0000028A3C210000-0x0000028A3C230000-memory.dmp

memory/640-5-0x0000028A3C230000-0x0000028A3C250000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:46

Platform

win11-20241007-en

Max time kernel

432s

Max time network

1183s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 924 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/1220-0-0x0000020566E10000-0x0000020566E30000-memory.dmp

memory/1220-1-0x0000020568730000-0x0000020568750000-memory.dmp

memory/1220-3-0x0000020568770000-0x0000020568790000-memory.dmp

memory/1220-2-0x0000020568750000-0x0000020568770000-memory.dmp

memory/1220-4-0x0000020568750000-0x0000020568770000-memory.dmp

memory/1220-5-0x0000020568770000-0x0000020568790000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:46

Platform

win11-20241007-en

Max time kernel

434s

Max time network

1198s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1240 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2984-0-0x0000018E499E0000-0x0000018E49A00000-memory.dmp

memory/2984-1-0x0000018E49A30000-0x0000018E49A50000-memory.dmp

memory/2984-2-0x0000018E49B80000-0x0000018E49BA0000-memory.dmp

memory/2984-3-0x0000018E49B60000-0x0000018E49B80000-memory.dmp

memory/2984-5-0x0000018E49B60000-0x0000018E49B80000-memory.dmp

memory/2984-4-0x0000018E49B80000-0x0000018E49BA0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:53

Platform

win11-20241007-en

Max time kernel

432s

Max time network

1190s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1608 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2780-0-0x0000019B61F30000-0x0000019B61F50000-memory.dmp

memory/2780-1-0x0000019B61F80000-0x0000019B61FA0000-memory.dmp

memory/2780-3-0x0000019B61FC0000-0x0000019B61FE0000-memory.dmp

memory/2780-2-0x0000019B61FA0000-0x0000019B61FC0000-memory.dmp

memory/2780-4-0x0000019B61FA0000-0x0000019B61FC0000-memory.dmp

memory/2780-5-0x0000019B61FC0000-0x0000019B61FE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

441s

Max time network

1160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/928-0-0x00000198B7340000-0x00000198B7360000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:33

Platform

win11-20241007-en

Max time kernel

731s

Max time network

1157s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 236 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 236 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp

Files

memory/4408-0-0x00000143EC6E0000-0x00000143EC700000-memory.dmp

memory/4408-1-0x00000143EC880000-0x00000143EC8A0000-memory.dmp

memory/4408-2-0x00000143EC8C0000-0x00000143EC8E0000-memory.dmp

memory/4408-3-0x00000143EC8A0000-0x00000143EC8C0000-memory.dmp

memory/4408-5-0x00000143EC8A0000-0x00000143EC8C0000-memory.dmp

memory/4408-4-0x00000143EC8C0000-0x00000143EC8E0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:53

Platform

win11-20241007-en

Max time kernel

1010s

Max time network

1200s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 2064 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp

Files

memory/2500-0-0x000001B93BEA0000-0x000001B93BEC0000-memory.dmp

memory/2500-1-0x000001B93BF40000-0x000001B93BF60000-memory.dmp

memory/2500-2-0x000001B93BF60000-0x000001B93BF80000-memory.dmp

memory/2500-3-0x000001B93BF80000-0x000001B93BFA0000-memory.dmp

memory/2500-5-0x000001B93BF80000-0x000001B93BFA0000-memory.dmp

memory/2500-4-0x000001B93BF60000-0x000001B93BF80000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:53

Platform

win11-20241007-en

Max time kernel

1052s

Max time network

1173s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 4468 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp

Files

memory/2980-0-0x000002A46A060000-0x000002A46A080000-memory.dmp

memory/2980-1-0x000002A46A0A0000-0x000002A46A0C0000-memory.dmp

memory/2980-3-0x000002A46A0E0000-0x000002A46A100000-memory.dmp

memory/2980-2-0x000002A46A0C0000-0x000002A46A0E0000-memory.dmp

memory/2980-5-0x000002A46A0E0000-0x000002A46A100000-memory.dmp

memory/2980-4-0x000002A46A0C0000-0x000002A46A0E0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:37

Platform

win11-20241007-en

Max time kernel

444s

Max time network

1185s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 3796 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp

Files

memory/240-0-0x00000171E2780000-0x00000171E27A0000-memory.dmp

memory/240-1-0x00000171E4180000-0x00000171E41A0000-memory.dmp

memory/240-2-0x00000171E41A0000-0x00000171E41C0000-memory.dmp

memory/240-3-0x00000171E41C0000-0x00000171E41E0000-memory.dmp

memory/240-5-0x00000171E41C0000-0x00000171E41E0000-memory.dmp

memory/240-4-0x00000171E41A0000-0x00000171E41C0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 15:13

Reported

2024-10-27 15:37

Platform

win11-20241023-en

Max time kernel

431s

Max time network

1188s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
PID 1252 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5342 us-zephyr.miningocean.org tcp

Files

memory/4168-0-0x00000203D4190000-0x00000203D41B0000-memory.dmp

memory/4168-1-0x00000203D41E0000-0x00000203D4200000-memory.dmp

memory/4168-3-0x00000203D4220000-0x00000203D4240000-memory.dmp

memory/4168-2-0x00000203D4200000-0x00000203D4220000-memory.dmp

memory/4168-4-0x00000203D4200000-0x00000203D4220000-memory.dmp

memory/4168-5-0x00000203D4220000-0x00000203D4240000-memory.dmp