Analysis Overview
SHA256
cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Threat Level: Known bad
The file Triage.zip was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1804s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2020 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2020 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2020 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2020 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2020 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2820-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-8-0x0000000000440000-0x0000000000460000-memory.dmp
memory/2820-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-16-0x0000000000460000-0x0000000000480000-memory.dmp
memory/2820-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-22-0x0000000001F60000-0x0000000001F80000-memory.dmp
memory/2820-21-0x0000000001F40000-0x0000000001F60000-memory.dmp
memory/2820-23-0x0000000001F40000-0x0000000001F60000-memory.dmp
memory/2820-24-0x0000000001F60000-0x0000000001F80000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4120 set thread context of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4120 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4120 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4120 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4120 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3132-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-8-0x0000000002C60000-0x0000000002C80000-memory.dmp
memory/3132-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-16-0x0000000002D90000-0x0000000002DB0000-memory.dmp
memory/3132-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-22-0x0000000013BE0000-0x0000000013C00000-memory.dmp
memory/3132-21-0x00000000139B0000-0x00000000139D0000-memory.dmp
memory/3132-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3132-23-0x00000000139B0000-0x00000000139D0000-memory.dmp
memory/3132-24-0x0000000013BE0000-0x0000000013C00000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5580 set thread context of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5580 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 5580 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 5580 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 5580 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 5580 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4992-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-8-0x0000000000BD0000-0x0000000000BF0000-memory.dmp
memory/4992-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-16-0x0000000002640000-0x0000000002660000-memory.dmp
memory/4992-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4992-21-0x00000000130D0000-0x00000000130F0000-memory.dmp
memory/4992-22-0x0000000013300000-0x0000000013320000-memory.dmp
memory/4992-23-0x00000000130D0000-0x00000000130F0000-memory.dmp
memory/4992-24-0x0000000013300000-0x0000000013320000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3280 set thread context of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3280 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3280 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3280 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3280 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3280 wrote to memory of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4740-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-8-0x0000000001180000-0x00000000011A0000-memory.dmp
memory/4740-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-16-0x0000000012E00000-0x0000000012E20000-memory.dmp
memory/4740-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-21-0x0000000013680000-0x00000000136A0000-memory.dmp
memory/4740-22-0x00000000138B0000-0x00000000138D0000-memory.dmp
memory/4740-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4740-23-0x0000000013680000-0x00000000136A0000-memory.dmp
memory/4740-24-0x00000000138B0000-0x00000000138D0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2008 set thread context of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2008 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2008 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2008 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2008 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1168-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-8-0x00000000012B0000-0x00000000012D0000-memory.dmp
memory/1168-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-16-0x0000000002C60000-0x0000000002C80000-memory.dmp
memory/1168-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1168-21-0x0000000002C80000-0x0000000002CA0000-memory.dmp
memory/1168-22-0x00000000139F0000-0x0000000013A10000-memory.dmp
memory/1168-23-0x0000000002C80000-0x0000000002CA0000-memory.dmp
memory/1168-24-0x00000000139F0000-0x0000000013A10000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2252 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2252 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2252 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2252 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2252 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2816-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2816-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-16-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2816-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2816-17-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2816-18-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2816-19-0x0000000000170000-0x0000000000190000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
1799s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2820-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-8-0x0000000000240000-0x0000000000260000-memory.dmp
memory/2820-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-17-0x00000000002C0000-0x00000000002E0000-memory.dmp
memory/2820-18-0x0000000001B90000-0x0000000001BB0000-memory.dmp
memory/2820-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2820-20-0x00000000002C0000-0x00000000002E0000-memory.dmp
memory/2820-21-0x0000000001B90000-0x0000000001BB0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
305s
Max time network
1807s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1048 set thread context of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1048 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1048 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1048 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1048 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1048 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2260-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2260-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-16-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-17-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2260-18-0x00000000002E0000-0x0000000000300000-memory.dmp
memory/2260-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2260-20-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2260-21-0x00000000002E0000-0x0000000000300000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2916 set thread context of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2916 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2916 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2916 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2916 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5060-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-8-0x00000000009D0000-0x00000000009F0000-memory.dmp
memory/5060-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-16-0x0000000000C60000-0x0000000000C80000-memory.dmp
memory/5060-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5060-21-0x00000000133F0000-0x0000000013410000-memory.dmp
memory/5060-22-0x0000000013620000-0x0000000013640000-memory.dmp
memory/5060-23-0x00000000133F0000-0x0000000013410000-memory.dmp
memory/5060-24-0x0000000013620000-0x0000000013640000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1794s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1424 set thread context of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1424 wrote to memory of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1424 wrote to memory of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1424 wrote to memory of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1424 wrote to memory of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1424 wrote to memory of 5880 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5880-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-8-0x00000000010E0000-0x0000000001100000-memory.dmp
memory/5880-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-16-0x0000000001100000-0x0000000001120000-memory.dmp
memory/5880-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5880-21-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/5880-22-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
memory/5880-23-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/5880-24-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1480 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1480 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1480 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1480 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1480 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1868-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-8-0x0000000002880000-0x00000000028A0000-memory.dmp
memory/1868-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-16-0x0000000012C60000-0x0000000012C80000-memory.dmp
memory/1868-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1868-22-0x0000000013710000-0x0000000013730000-memory.dmp
memory/1868-21-0x00000000134E0000-0x0000000013500000-memory.dmp
memory/1868-23-0x00000000134E0000-0x0000000013500000-memory.dmp
memory/1868-24-0x0000000013710000-0x0000000013730000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3140 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3140 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3140 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3140 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3140 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3140 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2532-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-8-0x00000000003E0000-0x0000000000400000-memory.dmp
memory/2532-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-16-0x00000000128F0000-0x0000000012910000-memory.dmp
memory/2532-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2532-22-0x0000000013070000-0x0000000013090000-memory.dmp
memory/2532-21-0x0000000012E30000-0x0000000012E50000-memory.dmp
memory/2532-23-0x0000000012E30000-0x0000000012E50000-memory.dmp
memory/2532-24-0x0000000013070000-0x0000000013090000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1832 set thread context of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5024-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-8-0x0000000000F70000-0x0000000000F90000-memory.dmp
memory/5024-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-16-0x0000000000FA0000-0x0000000000FC0000-memory.dmp
memory/5024-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5024-22-0x00000000136A0000-0x00000000136C0000-memory.dmp
memory/5024-21-0x0000000013470000-0x0000000013490000-memory.dmp
memory/5024-23-0x0000000013470000-0x0000000013490000-memory.dmp
memory/5024-24-0x00000000136A0000-0x00000000136C0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4808 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4172-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-8-0x00000000008D0000-0x00000000008F0000-memory.dmp
memory/4172-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-16-0x0000000000920000-0x0000000000940000-memory.dmp
memory/4172-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4172-21-0x0000000012DE0000-0x0000000012E00000-memory.dmp
memory/4172-22-0x0000000013010000-0x0000000013030000-memory.dmp
memory/4172-23-0x0000000012DE0000-0x0000000012E00000-memory.dmp
memory/4172-24-0x0000000013010000-0x0000000013030000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1798s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4628 set thread context of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4628 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4628 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4628 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4628 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4628 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 214.80.50.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4188-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-8-0x0000000001370000-0x0000000001390000-memory.dmp
memory/4188-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-16-0x00000000013A0000-0x00000000013C0000-memory.dmp
memory/4188-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4188-22-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
memory/4188-21-0x0000000002FB0000-0x0000000002FD0000-memory.dmp
memory/4188-23-0x0000000002FB0000-0x0000000002FD0000-memory.dmp
memory/4188-24-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2732 set thread context of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2732 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2732 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2732 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2732 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2536-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-8-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2536-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-16-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-18-0x0000000001BE0000-0x0000000001C00000-memory.dmp
memory/2536-17-0x0000000001BC0000-0x0000000001BE0000-memory.dmp
memory/2536-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2536-21-0x0000000001BE0000-0x0000000001C00000-memory.dmp
memory/2536-20-0x0000000001BC0000-0x0000000001BE0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1798s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3852 set thread context of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3852 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4720-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-8-0x00000000028C0000-0x00000000028E0000-memory.dmp
memory/4720-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-16-0x00000000029F0000-0x0000000002A10000-memory.dmp
memory/4720-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-20-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4720-22-0x0000000013740000-0x0000000013760000-memory.dmp
memory/4720-21-0x0000000013510000-0x0000000013530000-memory.dmp
memory/4720-24-0x0000000013740000-0x0000000013760000-memory.dmp
memory/4720-23-0x0000000013510000-0x0000000013530000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1798s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1224 set thread context of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1224 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1224 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1224 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1224 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1696-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-8-0x00000000009E0000-0x0000000000A00000-memory.dmp
memory/1696-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-16-0x0000000002A20000-0x0000000002A40000-memory.dmp
memory/1696-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-21-0x0000000002A40000-0x0000000002A60000-memory.dmp
memory/1696-22-0x0000000013630000-0x0000000013650000-memory.dmp
memory/1696-23-0x0000000002A40000-0x0000000002A60000-memory.dmp
memory/1696-24-0x0000000013630000-0x0000000013650000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1806s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1984 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1984 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1984 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1984 wrote to memory of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4980-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-8-0x00000000007E0000-0x0000000000800000-memory.dmp
memory/4980-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-16-0x0000000000B10000-0x0000000000B30000-memory.dmp
memory/4980-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4980-21-0x0000000002330000-0x0000000002350000-memory.dmp
memory/4980-22-0x0000000002350000-0x0000000002370000-memory.dmp
memory/4980-23-0x0000000002330000-0x0000000002350000-memory.dmp
memory/4980-24-0x0000000002350000-0x0000000002370000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win7-20241010-en
Max time kernel
258s
Max time network
1803s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2524 set thread context of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2524 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2524 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2524 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2524 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1476-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1476-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1476-16-0x0000000000330000-0x0000000000350000-memory.dmp
memory/1476-17-0x0000000001FF0000-0x0000000002010000-memory.dmp
memory/1476-18-0x0000000000330000-0x0000000000350000-memory.dmp
memory/1476-19-0x0000000001FF0000-0x0000000002010000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2860 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2860 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2860 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2860 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2112-8-0x0000000000BE0000-0x0000000000C00000-memory.dmp
memory/2112-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-16-0x0000000002840000-0x0000000002860000-memory.dmp
memory/2112-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2112-22-0x0000000013510000-0x0000000013530000-memory.dmp
memory/2112-21-0x00000000132E0000-0x0000000013300000-memory.dmp
memory/2112-23-0x00000000132E0000-0x0000000013300000-memory.dmp
memory/2112-24-0x0000000013510000-0x0000000013530000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3612 set thread context of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3612 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3612 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3612 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3612 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3612 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 121.224.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4764-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-8-0x0000000000470000-0x0000000000490000-memory.dmp
memory/4764-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-16-0x00000000021A0000-0x00000000021C0000-memory.dmp
memory/4764-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-21-0x0000000012C60000-0x0000000012C80000-memory.dmp
memory/4764-22-0x0000000012E90000-0x0000000012EB0000-memory.dmp
memory/4764-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4764-23-0x0000000012C60000-0x0000000012C80000-memory.dmp
memory/4764-24-0x0000000012E90000-0x0000000012EB0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1798s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4276 set thread context of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4276 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4276 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4276 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4276 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4276 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1816-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-8-0x0000000000AD0000-0x0000000000AF0000-memory.dmp
memory/1816-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-16-0x0000000000DD0000-0x0000000000DF0000-memory.dmp
memory/1816-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-21-0x0000000002620000-0x0000000002640000-memory.dmp
memory/1816-22-0x0000000013510000-0x0000000013530000-memory.dmp
memory/1816-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-23-0x0000000002620000-0x0000000002640000-memory.dmp
memory/1816-24-0x0000000013510000-0x0000000013530000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2116 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2116 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2116 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2116 wrote to memory of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3128-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-8-0x00000000016F0000-0x0000000001710000-memory.dmp
memory/3128-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-16-0x0000000001730000-0x0000000001750000-memory.dmp
memory/3128-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3128-22-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
memory/3128-21-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/3128-23-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/3128-24-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 10:42
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4852 set thread context of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4852 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4852 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4852 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4852 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4964-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-8-0x0000000000930000-0x0000000000950000-memory.dmp
memory/4964-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-16-0x0000000000960000-0x0000000000980000-memory.dmp
memory/4964-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-21-0x0000000012E50000-0x0000000012E70000-memory.dmp
memory/4964-22-0x0000000013080000-0x00000000130A0000-memory.dmp
memory/4964-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4964-23-0x0000000012E50000-0x0000000012E70000-memory.dmp
memory/4964-24-0x0000000013080000-0x00000000130A0000-memory.dmp