Analysis Overview
SHA256
bfca67785b156c56f5e04edd97f5dfd4b72664facf1a663dbfb6e2662abf032b
Threat Level: Known bad
The file Nitro generator.exe was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 07:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 07:59
Reported
2024-11-10 08:45
Platform
win7-20241023-en
Max time kernel
464s
Max time network
2693s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1268 set thread context of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1268 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 1268 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 1268 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 1268 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 1268 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2348-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-8-0x0000000000230000-0x0000000000250000-memory.dmp
memory/2348-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-16-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-17-0x0000000001B10000-0x0000000001B30000-memory.dmp
memory/2348-18-0x0000000001BC0000-0x0000000001BE0000-memory.dmp
memory/2348-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2348-20-0x0000000001B10000-0x0000000001B30000-memory.dmp
memory/2348-21-0x0000000001BC0000-0x0000000001BE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 07:59
Reported
2024-11-10 08:45
Platform
win7-20240903-en
Max time kernel
2700s
Max time network
2693s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2512 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2512 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2512 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2512 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2512 wrote to memory of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/320-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/320-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/320-16-0x00000000FFE70000-0x0000000100130000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 07:59
Reported
2024-11-10 08:45
Platform
win10v2004-20241007-en
Max time kernel
2700s
Max time network
2703s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3436 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2600-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-8-0x0000000000800000-0x0000000000820000-memory.dmp
memory/2600-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-16-0x0000000000820000-0x0000000000840000-memory.dmp
memory/2600-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2600-22-0x0000000012DB0000-0x0000000012DD0000-memory.dmp
memory/2600-21-0x0000000012B80000-0x0000000012BA0000-memory.dmp
memory/2600-24-0x0000000012DB0000-0x0000000012DD0000-memory.dmp
memory/2600-23-0x0000000012B80000-0x0000000012BA0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 07:59
Reported
2024-11-10 08:45
Platform
win10ltsc2021-20241023-en
Max time kernel
2698s
Max time network
2697s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2800 set thread context of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2800 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2800 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2800 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2800 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3516-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-8-0x00000000009E0000-0x0000000000A00000-memory.dmp
memory/3516-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-16-0x0000000000C50000-0x0000000000C70000-memory.dmp
memory/3516-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3516-21-0x0000000002670000-0x0000000002690000-memory.dmp
memory/3516-22-0x0000000002690000-0x00000000026B0000-memory.dmp
memory/3516-23-0x0000000002670000-0x0000000002690000-memory.dmp
memory/3516-24-0x0000000002690000-0x00000000026B0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 07:59
Reported
2024-11-10 08:45
Platform
win11-20241023-en
Max time kernel
2699s
Max time network
2693s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2044 set thread context of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2044 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2044 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2044 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
| PID 2044 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro generator.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3444-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-8-0x0000000000BE0000-0x0000000000C00000-memory.dmp
memory/3444-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-16-0x0000000002A40000-0x0000000002A60000-memory.dmp
memory/3444-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3444-21-0x00000000135F0000-0x0000000013610000-memory.dmp
memory/3444-22-0x0000000013820000-0x0000000013840000-memory.dmp
memory/3444-23-0x00000000135F0000-0x0000000013610000-memory.dmp
memory/3444-24-0x0000000013820000-0x0000000013840000-memory.dmp