Malware Analysis Report

2024-12-07 09:47

Sample ID 241113-mra95azlbs
Target Triage.zip
SHA256 cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b

Threat Level: Known bad

The file Triage.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

Xmrig family

xmrig

XMRig Miner payload

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:33

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3796 set thread context of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4292-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-8-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

memory/4292-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-16-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/4292-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4292-21-0x00000000130E0000-0x0000000013100000-memory.dmp

memory/4292-22-0x0000000013310000-0x0000000013330000-memory.dmp

memory/4292-23-0x00000000130E0000-0x0000000013100000-memory.dmp

memory/4292-24-0x0000000013310000-0x0000000013330000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win7-20241010-en

Max time kernel

1550s

Max time network

1805s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2568-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2568-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-17-0x0000000000190000-0x00000000001B0000-memory.dmp

memory/2568-18-0x00000000002C0000-0x00000000002E0000-memory.dmp

memory/2568-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2568-20-0x0000000000190000-0x00000000001B0000-memory.dmp

memory/2568-21-0x00000000002C0000-0x00000000002E0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3968 set thread context of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4668-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-8-0x0000000000910000-0x0000000000930000-memory.dmp

memory/4668-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-16-0x0000000000930000-0x0000000000950000-memory.dmp

memory/4668-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4668-22-0x0000000013240000-0x0000000013260000-memory.dmp

memory/4668-21-0x0000000013010000-0x0000000013030000-memory.dmp

memory/4668-24-0x0000000013240000-0x0000000013260000-memory.dmp

memory/4668-23-0x0000000013010000-0x0000000013030000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:08

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 456 set thread context of 4652 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4652-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-8-0x0000000000CA0000-0x0000000000CC0000-memory.dmp

memory/4652-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-16-0x0000000002460000-0x0000000002480000-memory.dmp

memory/4652-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4652-21-0x0000000013010000-0x0000000013030000-memory.dmp

memory/4652-22-0x0000000013240000-0x0000000013260000-memory.dmp

memory/4652-23-0x0000000013010000-0x0000000013030000-memory.dmp

memory/4652-24-0x0000000013240000-0x0000000013260000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4808 set thread context of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1900-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-8-0x0000000000A40000-0x0000000000A60000-memory.dmp

memory/1900-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-16-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

memory/1900-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1900-21-0x0000000013240000-0x0000000013260000-memory.dmp

memory/1900-22-0x0000000013470000-0x0000000013490000-memory.dmp

memory/1900-24-0x0000000013470000-0x0000000013490000-memory.dmp

memory/1900-23-0x0000000013240000-0x0000000013260000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5036 set thread context of 3204 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3204-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-8-0x0000000000980000-0x00000000009A0000-memory.dmp

memory/3204-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-16-0x00000000009B0000-0x00000000009D0000-memory.dmp

memory/3204-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-21-0x0000000012E90000-0x0000000012EB0000-memory.dmp

memory/3204-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3204-22-0x00000000130C0000-0x00000000130E0000-memory.dmp

memory/3204-23-0x0000000012E90000-0x0000000012EB0000-memory.dmp

memory/3204-24-0x00000000130C0000-0x00000000130E0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:13

Platform

win11-20241007-en

Max time kernel

1798s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1244 set thread context of 652 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/652-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-8-0x0000000001620000-0x0000000001640000-memory.dmp

memory/652-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-16-0x00000000016C0000-0x00000000016E0000-memory.dmp

memory/652-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/652-21-0x0000000013B10000-0x0000000013B30000-memory.dmp

memory/652-22-0x0000000013D40000-0x0000000013D60000-memory.dmp

memory/652-23-0x0000000013B10000-0x0000000013B30000-memory.dmp

memory/652-24-0x0000000013D40000-0x0000000013D60000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4400 set thread context of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4796-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-8-0x00000000028D0000-0x00000000028F0000-memory.dmp

memory/4796-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-16-0x0000000012FF0000-0x0000000013010000-memory.dmp

memory/4796-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4796-21-0x0000000013530000-0x0000000013550000-memory.dmp

memory/4796-22-0x0000000013760000-0x0000000013780000-memory.dmp

memory/4796-23-0x0000000013530000-0x0000000013550000-memory.dmp

memory/4796-24-0x0000000013760000-0x0000000013780000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win7-20240708-en

Max time kernel

1799s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2676-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2676-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-16-0x00000000021F0000-0x0000000002210000-memory.dmp

memory/2676-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2676-17-0x0000000002220000-0x0000000002240000-memory.dmp

memory/2676-18-0x00000000021F0000-0x0000000002210000-memory.dmp

memory/2676-19-0x0000000002220000-0x0000000002240000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win11-20241007-en

Max time kernel

1798s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1472 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2892-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-8-0x00000000004A0000-0x00000000004C0000-memory.dmp

memory/2892-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-16-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/2892-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-20-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2892-21-0x0000000002240000-0x0000000002260000-memory.dmp

memory/2892-22-0x0000000002260000-0x0000000002280000-memory.dmp

memory/2892-23-0x0000000002240000-0x0000000002260000-memory.dmp

memory/2892-24-0x0000000002260000-0x0000000002280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win7-20240708-en

Max time kernel

1800s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2148-8-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2148-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2148-16-0x00000000FFEF0000-0x00000001001B0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:13

Platform

win11-20241023-en

Max time kernel

1799s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4584-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-8-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

memory/4584-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-16-0x0000000000D00000-0x0000000000D20000-memory.dmp

memory/4584-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4584-21-0x0000000002890000-0x00000000028B0000-memory.dmp

memory/4584-22-0x00000000028B0000-0x00000000028D0000-memory.dmp

memory/4584-23-0x0000000002890000-0x00000000028B0000-memory.dmp

memory/4584-24-0x00000000028B0000-0x00000000028D0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:28

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3436 set thread context of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1736-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-8-0x0000000000E80000-0x0000000000EA0000-memory.dmp

memory/1736-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-16-0x0000000000F00000-0x0000000000F20000-memory.dmp

memory/1736-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-21-0x0000000002B40000-0x0000000002B60000-memory.dmp

memory/1736-22-0x0000000002B60000-0x0000000002B80000-memory.dmp

memory/1736-23-0x0000000002B40000-0x0000000002B60000-memory.dmp

memory/1736-24-0x0000000002B60000-0x0000000002B80000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4476 set thread context of 64 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/64-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-8-0x0000000000500000-0x0000000000520000-memory.dmp

memory/64-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-16-0x00000000009B0000-0x00000000009D0000-memory.dmp

memory/64-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/64-22-0x0000000012F00000-0x0000000012F20000-memory.dmp

memory/64-21-0x0000000012CD0000-0x0000000012CF0000-memory.dmp

memory/64-24-0x0000000012F00000-0x0000000012F20000-memory.dmp

memory/64-23-0x0000000012CD0000-0x0000000012CF0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4228 set thread context of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4420-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-8-0x0000000001310000-0x0000000001330000-memory.dmp

memory/4420-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-16-0x0000000001340000-0x0000000001360000-memory.dmp

memory/4420-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4420-22-0x00000000016C0000-0x00000000016E0000-memory.dmp

memory/4420-21-0x00000000016A0000-0x00000000016C0000-memory.dmp

memory/4420-23-0x00000000016A0000-0x00000000016C0000-memory.dmp

memory/4420-24-0x00000000016C0000-0x00000000016E0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1805s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 864 set thread context of 424 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/424-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-8-0x00000000012C0000-0x00000000012E0000-memory.dmp

memory/424-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-16-0x0000000001610000-0x0000000001630000-memory.dmp

memory/424-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/424-22-0x0000000013CD0000-0x0000000013CF0000-memory.dmp

memory/424-21-0x00000000016C0000-0x00000000016E0000-memory.dmp

memory/424-23-0x00000000016C0000-0x00000000016E0000-memory.dmp

memory/424-24-0x0000000013CD0000-0x0000000013CF0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win7-20241010-en

Max time kernel

248s

Max time network

1805s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3000-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-8-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/3000-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-17-0x0000000001C00000-0x0000000001C20000-memory.dmp

memory/3000-18-0x0000000001CA0000-0x0000000001CC0000-memory.dmp

memory/3000-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3000-20-0x0000000001C00000-0x0000000001C20000-memory.dmp

memory/3000-21-0x0000000001CA0000-0x0000000001CC0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:08

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1807s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 32 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/32-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-8-0x0000000002550000-0x0000000002570000-memory.dmp

memory/32-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-16-0x0000000012C50000-0x0000000012C70000-memory.dmp

memory/32-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/32-21-0x00000000131A0000-0x00000000131C0000-memory.dmp

memory/32-22-0x00000000133D0000-0x00000000133F0000-memory.dmp

memory/32-23-0x00000000131A0000-0x00000000131C0000-memory.dmp

memory/32-24-0x00000000133D0000-0x00000000133F0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:13

Platform

win7-20240708-en

Max time kernel

311s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1736-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-8-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/1736-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1736-17-0x0000000002390000-0x00000000023B0000-memory.dmp

memory/1736-16-0x0000000001C50000-0x0000000001C70000-memory.dmp

memory/1736-19-0x0000000002390000-0x00000000023B0000-memory.dmp

memory/1736-18-0x0000000001C50000-0x0000000001C70000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:13

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3716 set thread context of 3076 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3076-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-8-0x0000000000550000-0x0000000000570000-memory.dmp

memory/3076-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-16-0x0000000002290000-0x00000000022B0000-memory.dmp

memory/3076-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3076-22-0x0000000012F30000-0x0000000012F50000-memory.dmp

memory/3076-21-0x0000000012D00000-0x0000000012D20000-memory.dmp

memory/3076-24-0x0000000012F30000-0x0000000012F50000-memory.dmp

memory/3076-23-0x0000000012D00000-0x0000000012D20000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:34

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1980 set thread context of 3092 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3092-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-8-0x00000000010A0000-0x00000000010C0000-memory.dmp

memory/3092-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-16-0x00000000013E0000-0x0000000001400000-memory.dmp

memory/3092-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3092-21-0x00000000137C0000-0x00000000137E0000-memory.dmp

memory/3092-22-0x00000000139F0000-0x0000000013A10000-memory.dmp

memory/3092-23-0x00000000137C0000-0x00000000137E0000-memory.dmp

memory/3092-24-0x00000000139F0000-0x0000000013A10000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 796 set thread context of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4716-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-8-0x0000000002E30000-0x0000000002E50000-memory.dmp

memory/4716-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-16-0x0000000002E50000-0x0000000002E70000-memory.dmp

memory/4716-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4716-21-0x0000000013A70000-0x0000000013A90000-memory.dmp

memory/4716-22-0x0000000013CA0000-0x0000000013CC0000-memory.dmp

memory/4716-23-0x0000000013A70000-0x0000000013A90000-memory.dmp

memory/4716-24-0x0000000013CA0000-0x0000000013CC0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 11:12

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2316 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2400-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-8-0x0000000000DE0000-0x0000000000E00000-memory.dmp

memory/2400-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-16-0x0000000002CD0000-0x0000000002CF0000-memory.dmp

memory/2400-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-20-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2400-21-0x0000000002CF0000-0x0000000002D10000-memory.dmp

memory/2400-22-0x0000000013A70000-0x0000000013A90000-memory.dmp

memory/2400-23-0x0000000002CF0000-0x0000000002D10000-memory.dmp

memory/2400-24-0x0000000013A70000-0x0000000013A90000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4908-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-8-0x0000000002C40000-0x0000000002C60000-memory.dmp

memory/4908-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-16-0x0000000002DE0000-0x0000000002E00000-memory.dmp

memory/4908-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-21-0x0000000013890000-0x00000000138B0000-memory.dmp

memory/4908-22-0x0000000013AC0000-0x0000000013AE0000-memory.dmp

memory/4908-23-0x0000000013890000-0x00000000138B0000-memory.dmp

memory/4908-24-0x0000000013AC0000-0x0000000013AE0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:41

Reported

2024-11-13 12:38

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4764 set thread context of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4212-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-8-0x0000000001FE0000-0x0000000002000000-memory.dmp

memory/4212-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-16-0x00000000126E0000-0x0000000012700000-memory.dmp

memory/4212-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4212-21-0x0000000012C30000-0x0000000012C50000-memory.dmp

memory/4212-22-0x0000000012E60000-0x0000000012E80000-memory.dmp

memory/4212-23-0x0000000012C30000-0x0000000012C50000-memory.dmp

memory/4212-24-0x0000000012E60000-0x0000000012E80000-memory.dmp