Malware Analysis Report

2024-12-07 09:27

Sample ID 241113-mywveatncp
Target Triage.zip
SHA256 cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b

Threat Level: Known bad

The file Triage.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

Xmrig family

xmrig

XMRig Miner payload

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4152 set thread context of 1976 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1976-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-8-0x0000000001040000-0x0000000001060000-memory.dmp

memory/1976-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-16-0x0000000001060000-0x0000000001080000-memory.dmp

memory/1976-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1976-21-0x0000000013540000-0x0000000013560000-memory.dmp

memory/1976-22-0x0000000013770000-0x0000000013790000-memory.dmp

memory/1976-23-0x0000000013540000-0x0000000013560000-memory.dmp

memory/1976-24-0x0000000013770000-0x0000000013790000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4392 set thread context of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2840-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-8-0x0000000000600000-0x0000000000620000-memory.dmp

memory/2840-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-16-0x0000000000A90000-0x0000000000AB0000-memory.dmp

memory/2840-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-21-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/2840-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-22-0x0000000013030000-0x0000000013050000-memory.dmp

memory/2840-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2840-23-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/2840-24-0x0000000013030000-0x0000000013050000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 716 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/716-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-8-0x0000000000980000-0x00000000009A0000-memory.dmp

memory/716-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-16-0x0000000002560000-0x0000000002580000-memory.dmp

memory/716-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/716-21-0x0000000013110000-0x0000000013130000-memory.dmp

memory/716-22-0x0000000013340000-0x0000000013360000-memory.dmp

memory/716-23-0x0000000013110000-0x0000000013130000-memory.dmp

memory/716-24-0x0000000013340000-0x0000000013360000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:29

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 316 set thread context of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1044-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-8-0x0000000000610000-0x0000000000630000-memory.dmp

memory/1044-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-16-0x0000000000650000-0x0000000000670000-memory.dmp

memory/1044-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1044-21-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/1044-22-0x0000000013020000-0x0000000013040000-memory.dmp

memory/1044-23-0x0000000012DF0000-0x0000000012E10000-memory.dmp

memory/1044-24-0x0000000013020000-0x0000000013040000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:29

Platform

win10ltsc2021-20241023-en

Max time kernel

1798s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 876 set thread context of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1604-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-8-0x0000000001590000-0x00000000015B0000-memory.dmp

memory/1604-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-16-0x00000000015B0000-0x00000000015D0000-memory.dmp

memory/1604-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1604-21-0x0000000002F50000-0x0000000002F70000-memory.dmp

memory/1604-22-0x0000000002F70000-0x0000000002F90000-memory.dmp

memory/1604-23-0x0000000002F50000-0x0000000002F70000-memory.dmp

memory/1604-24-0x0000000002F70000-0x0000000002F90000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:39

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 792 set thread context of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2780-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-8-0x0000000000E00000-0x0000000000E20000-memory.dmp

memory/2780-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-16-0x0000000000E20000-0x0000000000E40000-memory.dmp

memory/2780-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2780-21-0x00000000135D0000-0x00000000135F0000-memory.dmp

memory/2780-22-0x0000000013800000-0x0000000013820000-memory.dmp

memory/2780-23-0x00000000135D0000-0x00000000135F0000-memory.dmp

memory/2780-24-0x0000000013800000-0x0000000013820000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1793s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3656 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2672-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-8-0x0000000001610000-0x0000000001630000-memory.dmp

memory/2672-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-16-0x0000000001690000-0x00000000016B0000-memory.dmp

memory/2672-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2672-21-0x00000000030E0000-0x0000000003100000-memory.dmp

memory/2672-22-0x0000000003100000-0x0000000003120000-memory.dmp

memory/2672-23-0x00000000030E0000-0x0000000003100000-memory.dmp

memory/2672-24-0x0000000003100000-0x0000000003120000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win11-20241023-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3552 set thread context of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3488-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-8-0x0000000000DB0000-0x0000000000DD0000-memory.dmp

memory/3488-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-16-0x0000000001000000-0x0000000001020000-memory.dmp

memory/3488-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3488-22-0x0000000002B20000-0x0000000002B40000-memory.dmp

memory/3488-21-0x0000000002B00000-0x0000000002B20000-memory.dmp

memory/3488-23-0x0000000002B00000-0x0000000002B20000-memory.dmp

memory/3488-24-0x0000000002B20000-0x0000000002B40000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4324 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/5012-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-8-0x0000000002E90000-0x0000000002EB0000-memory.dmp

memory/5012-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-16-0x0000000013250000-0x0000000013270000-memory.dmp

memory/5012-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-22-0x0000000013D00000-0x0000000013D20000-memory.dmp

memory/5012-21-0x0000000013AD0000-0x0000000013AF0000-memory.dmp

memory/5012-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5012-23-0x0000000013AD0000-0x0000000013AF0000-memory.dmp

memory/5012-24-0x0000000013D00000-0x0000000013D20000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win7-20241010-en

Max time kernel

1789s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1280-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-8-0x0000000000340000-0x0000000000360000-memory.dmp

memory/1280-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1280-17-0x0000000001AF0000-0x0000000001B10000-memory.dmp

memory/1280-16-0x0000000001AD0000-0x0000000001AF0000-memory.dmp

memory/1280-19-0x0000000001AF0000-0x0000000001B10000-memory.dmp

memory/1280-18-0x0000000001AD0000-0x0000000001AF0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win7-20240903-en

Max time kernel

292s

Max time network

1791s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2784 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2140-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-8-0x0000000000040000-0x0000000000060000-memory.dmp

memory/2140-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2140-17-0x0000000001B00000-0x0000000001B20000-memory.dmp

memory/2140-16-0x00000000003B0000-0x00000000003D0000-memory.dmp

memory/2140-19-0x0000000001B00000-0x0000000001B20000-memory.dmp

memory/2140-18-0x00000000003B0000-0x00000000003D0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3344 set thread context of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1816-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-8-0x0000000000FE0000-0x0000000001000000-memory.dmp

memory/1816-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-16-0x0000000013190000-0x00000000131B0000-memory.dmp

memory/1816-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1816-21-0x00000000139F0000-0x0000000013A10000-memory.dmp

memory/1816-22-0x0000000013C20000-0x0000000013C40000-memory.dmp

memory/1816-23-0x00000000139F0000-0x0000000013A10000-memory.dmp

memory/1816-24-0x0000000013C20000-0x0000000013C40000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10v2004-20241007-en

Max time kernel

1798s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1808 set thread context of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3556-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-8-0x0000000002BC0000-0x0000000002BE0000-memory.dmp

memory/3556-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-16-0x0000000002CF0000-0x0000000002D10000-memory.dmp

memory/3556-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-22-0x0000000013A50000-0x0000000013A70000-memory.dmp

memory/3556-21-0x0000000013820000-0x0000000013840000-memory.dmp

memory/3556-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3556-23-0x0000000013820000-0x0000000013840000-memory.dmp

memory/3556-24-0x0000000013A50000-0x0000000013A70000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:29

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3496 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1696-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-8-0x0000000000C10000-0x0000000000C30000-memory.dmp

memory/1696-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-16-0x0000000000C40000-0x0000000000C60000-memory.dmp

memory/1696-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-21-0x00000000133F0000-0x0000000013410000-memory.dmp

memory/1696-22-0x0000000013620000-0x0000000013640000-memory.dmp

memory/1696-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1696-23-0x00000000133F0000-0x0000000013410000-memory.dmp

memory/1696-24-0x0000000013620000-0x0000000013640000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:29

Platform

win7-20240903-en

Max time kernel

298s

Max time network

1806s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 848 set thread context of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2340-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-8-0x0000000000230000-0x0000000000250000-memory.dmp

memory/2340-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2340-17-0x0000000001B10000-0x0000000001B30000-memory.dmp

memory/2340-16-0x0000000001AF0000-0x0000000001B10000-memory.dmp

memory/2340-19-0x0000000001B10000-0x0000000001B30000-memory.dmp

memory/2340-18-0x0000000001AF0000-0x0000000001B10000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:41

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3208 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/852-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-8-0x0000000000F60000-0x0000000000F80000-memory.dmp

memory/852-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-16-0x00007FFAFCD80000-0x00007FFAFD076000-memory.dmp

memory/852-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/852-19-0x0000000140000000-0x0000000140835000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4264 set thread context of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3528-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-8-0x0000000001360000-0x0000000001380000-memory.dmp

memory/3528-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-16-0x0000000001380000-0x00000000013A0000-memory.dmp

memory/3528-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3528-22-0x0000000002DB0000-0x0000000002DD0000-memory.dmp

memory/3528-21-0x0000000002D90000-0x0000000002DB0000-memory.dmp

memory/3528-24-0x0000000002DB0000-0x0000000002DD0000-memory.dmp

memory/3528-23-0x0000000002D90000-0x0000000002DB0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5424 set thread context of 6100 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/6100-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-8-0x0000000000830000-0x0000000000850000-memory.dmp

memory/6100-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-16-0x0000000000960000-0x0000000000980000-memory.dmp

memory/6100-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6100-21-0x00000000022F0000-0x0000000002310000-memory.dmp

memory/6100-22-0x0000000002310000-0x0000000002330000-memory.dmp

memory/6100-23-0x00000000022F0000-0x0000000002310000-memory.dmp

memory/6100-24-0x0000000002310000-0x0000000002330000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4088-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-8-0x0000000000D30000-0x0000000000D50000-memory.dmp

memory/4088-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-16-0x00000000010F0000-0x0000000001110000-memory.dmp

memory/4088-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-21-0x0000000013550000-0x0000000013570000-memory.dmp

memory/4088-22-0x0000000013780000-0x00000000137A0000-memory.dmp

memory/4088-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4088-24-0x0000000013780000-0x00000000137A0000-memory.dmp

memory/4088-23-0x0000000013550000-0x0000000013570000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2300 set thread context of 3472 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3472-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-8-0x00000000009A0000-0x00000000009C0000-memory.dmp

memory/3472-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-16-0x0000000002200000-0x0000000002220000-memory.dmp

memory/3472-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3472-21-0x0000000012EA0000-0x0000000012EC0000-memory.dmp

memory/3472-22-0x00000000130D0000-0x00000000130F0000-memory.dmp

memory/3472-23-0x0000000012EA0000-0x0000000012EC0000-memory.dmp

memory/3472-24-0x00000000130D0000-0x00000000130F0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:59

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4252 set thread context of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1456-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-8-0x00000000009E0000-0x0000000000A00000-memory.dmp

memory/1456-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-16-0x0000000000D60000-0x0000000000D80000-memory.dmp

memory/1456-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1456-21-0x0000000001040000-0x0000000001060000-memory.dmp

memory/1456-22-0x0000000001100000-0x0000000001120000-memory.dmp

memory/1456-23-0x0000000001040000-0x0000000001060000-memory.dmp

memory/1456-24-0x0000000001100000-0x0000000001120000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win7-20240903-en

Max time kernel

286s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2808-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-8-0x0000000000230000-0x0000000000250000-memory.dmp

memory/2808-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-17-0x0000000001C50000-0x0000000001C70000-memory.dmp

memory/2808-18-0x0000000001CF0000-0x0000000001D10000-memory.dmp

memory/2808-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2808-20-0x0000000001C50000-0x0000000001C70000-memory.dmp

memory/2808-21-0x0000000001CF0000-0x0000000001D10000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4924 set thread context of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4380-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-8-0x0000000000C60000-0x0000000000C80000-memory.dmp

memory/4380-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-16-0x0000000002440000-0x0000000002460000-memory.dmp

memory/4380-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4380-21-0x0000000002490000-0x00000000024B0000-memory.dmp

memory/4380-22-0x0000000013200000-0x0000000013220000-memory.dmp

memory/4380-23-0x0000000002490000-0x00000000024B0000-memory.dmp

memory/4380-24-0x0000000013200000-0x0000000013220000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 11:47

Platform

win7-20241010-en

Max time kernel

266s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2856-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2856-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2856-16-0x0000000000370000-0x0000000000390000-memory.dmp

memory/2856-17-0x0000000000390000-0x00000000003B0000-memory.dmp

memory/2856-18-0x0000000000370000-0x0000000000390000-memory.dmp

memory/2856-19-0x0000000000390000-0x00000000003B0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:52

Reported

2024-11-13 12:00

Platform

win10v2004-20241007-en

Max time kernel

1798s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3852 set thread context of 4676 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4676-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-8-0x0000000000870000-0x0000000000890000-memory.dmp

memory/4676-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-16-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/4676-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-22-0x00000000131F0000-0x0000000013210000-memory.dmp

memory/4676-21-0x0000000012FC0000-0x0000000012FE0000-memory.dmp

memory/4676-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4676-24-0x00000000131F0000-0x0000000013210000-memory.dmp

memory/4676-23-0x0000000012FC0000-0x0000000012FE0000-memory.dmp