Analysis Overview
SHA256
8bbab7c6d8c74646fec9b68eff9a0e1a7f294a9ea4e11c46e9161540cb6c5f7e
Threat Level: Known bad
The file PUB2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 16:25
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
324s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3916 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 2180 wrote to memory of 3916 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (11).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/3916-0-0x000001953F170000-0x000001953F190000-memory.dmp
memory/3916-1-0x000001953F1C0000-0x000001953F1E0000-memory.dmp
memory/3916-2-0x000001953F220000-0x000001953F240000-memory.dmp
memory/3916-3-0x000001953F1E0000-0x000001953F200000-memory.dmp
memory/3916-5-0x000001953F1E0000-0x000001953F200000-memory.dmp
memory/3916-4-0x000001953F220000-0x000001953F240000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
154s
Max time network
292s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 376 wrote to memory of 1676 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 376 wrote to memory of 1676 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (12).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/1676-0-0x000001DDFCE10000-0x000001DDFCE30000-memory.dmp
memory/1676-1-0x000001DDFCE50000-0x000001DDFCE70000-memory.dmp
memory/1676-2-0x000001DDFCE70000-0x000001DDFCE90000-memory.dmp
memory/1676-3-0x000001DDFCE90000-0x000001DDFCEB0000-memory.dmp
memory/1676-4-0x000001DDFCE70000-0x000001DDFCE90000-memory.dmp
memory/1676-5-0x000001DDFCE90000-0x000001DDFCEB0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
323s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4300 wrote to memory of 4284 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 4300 wrote to memory of 4284 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (2).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4284-0-0x000002B020B40000-0x000002B020B60000-memory.dmp
memory/4284-1-0x000002B022650000-0x000002B022670000-memory.dmp
memory/4284-2-0x000002B0B4AC0000-0x000002B0B4AE0000-memory.dmp
memory/4284-3-0x000002B0B4D00000-0x000002B0B4D20000-memory.dmp
memory/4284-4-0x000002B0B4AC0000-0x000002B0B4AE0000-memory.dmp
memory/4284-5-0x000002B0B4D00000-0x000002B0B4D20000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
96s
Max time network
294s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 232 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1252 wrote to memory of 232 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (9).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
Files
memory/232-0-0x0000025DCDDA0000-0x0000025DCDDC0000-memory.dmp
memory/232-1-0x0000025DCF690000-0x0000025DCF6B0000-memory.dmp
memory/232-2-0x0000025DCF6B0000-0x0000025DCF6D0000-memory.dmp
memory/232-3-0x0000025DCF6D0000-0x0000025DCF6F0000-memory.dmp
memory/232-4-0x0000025DCF6B0000-0x0000025DCF6D0000-memory.dmp
memory/232-5-0x0000025DCF6D0000-0x0000025DCF6F0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
314s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 828 wrote to memory of 1948 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 828 wrote to memory of 1948 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (3).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/1948-0-0x0000020C57130000-0x0000020C57150000-memory.dmp
memory/1948-1-0x0000020C57180000-0x0000020C571A0000-memory.dmp
memory/1948-3-0x0000020C571D0000-0x0000020C571F0000-memory.dmp
memory/1948-2-0x0000020C571A0000-0x0000020C571C0000-memory.dmp
memory/1948-4-0x0000020C571A0000-0x0000020C571C0000-memory.dmp
memory/1948-5-0x0000020C571D0000-0x0000020C571F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:31
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
262s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3988 wrote to memory of 224 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3988 wrote to memory of 224 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (4).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.189.173.11:443 | tcp |
Files
memory/224-0-0x000001F50FA40000-0x000001F50FA60000-memory.dmp
memory/224-1-0x000001F511370000-0x000001F511390000-memory.dmp
memory/224-3-0x000001F5113B0000-0x000001F5113D0000-memory.dmp
memory/224-2-0x000001F511390000-0x000001F5113B0000-memory.dmp
memory/224-4-0x000001F511390000-0x000001F5113B0000-memory.dmp
memory/224-5-0x000001F5113B0000-0x000001F5113D0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
96s
Max time network
268s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3168 wrote to memory of 2468 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3168 wrote to memory of 2468 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2468-0-0x0000028E3D100000-0x0000028E3D120000-memory.dmp
memory/2468-1-0x0000028E3D150000-0x0000028E3D170000-memory.dmp
memory/2468-2-0x0000028E3D170000-0x0000028E3D190000-memory.dmp
memory/2468-3-0x0000028E3D190000-0x0000028E3D1B0000-memory.dmp
memory/2468-5-0x0000028E3D190000-0x0000028E3D1B0000-memory.dmp
memory/2468-4-0x0000028E3D170000-0x0000028E3D190000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
281s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3680 wrote to memory of 324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3680 wrote to memory of 324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr.bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/324-0-0x000001CF9BCE0000-0x000001CF9BD00000-memory.dmp
memory/324-1-0x000001CF9D740000-0x000001CF9D760000-memory.dmp
memory/324-2-0x000001CF9D760000-0x000001CF9D780000-memory.dmp
memory/324-3-0x000001CF9D780000-0x000001CF9D7A0000-memory.dmp
memory/324-4-0x000001CF9D760000-0x000001CF9D780000-memory.dmp
memory/324-5-0x000001CF9D780000-0x000001CF9D7A0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
316s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 4596 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3716 wrote to memory of 4596 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (5).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/4596-0-0x000001CE1E510000-0x000001CE1E530000-memory.dmp
memory/4596-1-0x000001CE1FE00000-0x000001CE1FE20000-memory.dmp
memory/4596-2-0x000001CE1FE20000-0x000001CE1FE40000-memory.dmp
memory/4596-3-0x000001CE1FE40000-0x000001CE1FE60000-memory.dmp
memory/4596-4-0x000001CE1FE20000-0x000001CE1FE40000-memory.dmp
memory/4596-5-0x000001CE1FE40000-0x000001CE1FE60000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
311s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1484 wrote to memory of 3092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1484 wrote to memory of 3092 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (7).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
Files
memory/3092-0-0x000002434F100000-0x000002434F120000-memory.dmp
memory/3092-1-0x000002434F240000-0x000002434F260000-memory.dmp
memory/3092-2-0x000002434F260000-0x000002434F280000-memory.dmp
memory/3092-3-0x000002434F2A0000-0x000002434F2C0000-memory.dmp
memory/3092-4-0x000002434F260000-0x000002434F280000-memory.dmp
memory/3092-5-0x000002434F2A0000-0x000002434F2C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:33
Platform
win10ltsc2021-20241023-en
Max time kernel
214s
Max time network
309s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 1896 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 1224 wrote to memory of 1896 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (10).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/1896-0-0x00000221C2BB0000-0x00000221C2BD0000-memory.dmp
memory/1896-1-0x0000022256630000-0x0000022256650000-memory.dmp
memory/1896-2-0x0000022256A70000-0x0000022256A90000-memory.dmp
memory/1896-3-0x0000022256CA0000-0x0000022256CC0000-memory.dmp
memory/1896-4-0x0000022256A70000-0x0000022256A90000-memory.dmp
memory/1896-5-0x0000022256CA0000-0x0000022256CC0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
153s
Max time network
282s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3128 wrote to memory of 4272 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 3128 wrote to memory of 4272 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (6).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/4272-0-0x000002236EF70000-0x000002236EF90000-memory.dmp
memory/4272-1-0x000002236EFB0000-0x000002236EFD0000-memory.dmp
memory/4272-2-0x000002236EFD0000-0x000002236EFF0000-memory.dmp
memory/4272-3-0x000002236EFF0000-0x000002236F010000-memory.dmp
memory/4272-4-0x000002236EFD0000-0x000002236EFF0000-memory.dmp
memory/4272-5-0x000002236EFF0000-0x000002236F010000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:32
Platform
win10ltsc2021-20241023-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 548 wrote to memory of 3580 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
| PID 548 wrote to memory of 3580 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB2\zephyr - Copie (8).bat"
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
xmrig.exe -o us-zephyr.miningocean.org:5342 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.240.197:5342 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.240.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.103.156.88:443 | tcp | |
| SE | 192.229.221.95:80 | tcp |
Files
memory/3580-0-0x000001ABEC940000-0x000001ABEC960000-memory.dmp
memory/3580-1-0x000001AC7EAF0000-0x000001AC7EB10000-memory.dmp
memory/3580-3-0x000001AC7F160000-0x000001AC7F180000-memory.dmp
memory/3580-2-0x000001AC7EF30000-0x000001AC7EF50000-memory.dmp
memory/3580-5-0x000001AC7F160000-0x000001AC7F180000-memory.dmp
memory/3580-4-0x000001AC7EF30000-0x000001AC7EF50000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 16:25
Reported
2024-10-27 16:33
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
223s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\PUB2\xmrig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/5000-0-0x00000226E30E0000-0x00000226E3100000-memory.dmp