Analysis Overview
SHA256
cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Threat Level: Known bad
The file Triage.zip was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4152 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4152 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4152 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4152 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4152 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4152 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1976-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-8-0x0000000001040000-0x0000000001060000-memory.dmp
memory/1976-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-16-0x0000000001060000-0x0000000001080000-memory.dmp
memory/1976-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1976-21-0x0000000013540000-0x0000000013560000-memory.dmp
memory/1976-22-0x0000000013770000-0x0000000013790000-memory.dmp
memory/1976-23-0x0000000013540000-0x0000000013560000-memory.dmp
memory/1976-24-0x0000000013770000-0x0000000013790000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4392 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4392 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4392 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4392 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4392 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4392 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2840-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-8-0x0000000000600000-0x0000000000620000-memory.dmp
memory/2840-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-16-0x0000000000A90000-0x0000000000AB0000-memory.dmp
memory/2840-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-21-0x0000000012DF0000-0x0000000012E10000-memory.dmp
memory/2840-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-22-0x0000000013030000-0x0000000013050000-memory.dmp
memory/2840-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2840-23-0x0000000012DF0000-0x0000000012E10000-memory.dmp
memory/2840-24-0x0000000013030000-0x0000000013050000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2568 set thread context of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2568 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2568 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2568 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2568 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2568 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/716-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-8-0x0000000000980000-0x00000000009A0000-memory.dmp
memory/716-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-16-0x0000000002560000-0x0000000002580000-memory.dmp
memory/716-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/716-21-0x0000000013110000-0x0000000013130000-memory.dmp
memory/716-22-0x0000000013340000-0x0000000013360000-memory.dmp
memory/716-23-0x0000000013110000-0x0000000013130000-memory.dmp
memory/716-24-0x0000000013340000-0x0000000013360000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 316 set thread context of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 316 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 316 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 316 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 316 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1044-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-8-0x0000000000610000-0x0000000000630000-memory.dmp
memory/1044-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-16-0x0000000000650000-0x0000000000670000-memory.dmp
memory/1044-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1044-21-0x0000000012DF0000-0x0000000012E10000-memory.dmp
memory/1044-22-0x0000000013020000-0x0000000013040000-memory.dmp
memory/1044-23-0x0000000012DF0000-0x0000000012E10000-memory.dmp
memory/1044-24-0x0000000013020000-0x0000000013040000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:29
Platform
win10ltsc2021-20241023-en
Max time kernel
1798s
Max time network
1804s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 876 set thread context of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 876 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 876 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 876 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 876 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1604-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-8-0x0000000001590000-0x00000000015B0000-memory.dmp
memory/1604-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-16-0x00000000015B0000-0x00000000015D0000-memory.dmp
memory/1604-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1604-21-0x0000000002F50000-0x0000000002F70000-memory.dmp
memory/1604-22-0x0000000002F70000-0x0000000002F90000-memory.dmp
memory/1604-23-0x0000000002F50000-0x0000000002F70000-memory.dmp
memory/1604-24-0x0000000002F70000-0x0000000002F90000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:39
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 792 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 792 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 792 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 792 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 792 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 792 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2780-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-8-0x0000000000E00000-0x0000000000E20000-memory.dmp
memory/2780-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-16-0x0000000000E20000-0x0000000000E40000-memory.dmp
memory/2780-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-21-0x00000000135D0000-0x00000000135F0000-memory.dmp
memory/2780-22-0x0000000013800000-0x0000000013820000-memory.dmp
memory/2780-23-0x00000000135D0000-0x00000000135F0000-memory.dmp
memory/2780-24-0x0000000013800000-0x0000000013820000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1793s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3656 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3656 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3656 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3656 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3656 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3656 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2672-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-8-0x0000000001610000-0x0000000001630000-memory.dmp
memory/2672-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-16-0x0000000001690000-0x00000000016B0000-memory.dmp
memory/2672-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2672-21-0x00000000030E0000-0x0000000003100000-memory.dmp
memory/2672-22-0x0000000003100000-0x0000000003120000-memory.dmp
memory/2672-23-0x00000000030E0000-0x0000000003100000-memory.dmp
memory/2672-24-0x0000000003100000-0x0000000003120000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win11-20241023-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3552 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3552 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3552 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3552 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3552 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3488-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-8-0x0000000000DB0000-0x0000000000DD0000-memory.dmp
memory/3488-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-16-0x0000000001000000-0x0000000001020000-memory.dmp
memory/3488-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3488-22-0x0000000002B20000-0x0000000002B40000-memory.dmp
memory/3488-21-0x0000000002B00000-0x0000000002B20000-memory.dmp
memory/3488-23-0x0000000002B00000-0x0000000002B20000-memory.dmp
memory/3488-24-0x0000000002B20000-0x0000000002B40000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4324 set thread context of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4324 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4324 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4324 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4324 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4324 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5012-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-8-0x0000000002E90000-0x0000000002EB0000-memory.dmp
memory/5012-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-16-0x0000000013250000-0x0000000013270000-memory.dmp
memory/5012-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-22-0x0000000013D00000-0x0000000013D20000-memory.dmp
memory/5012-21-0x0000000013AD0000-0x0000000013AF0000-memory.dmp
memory/5012-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5012-23-0x0000000013AD0000-0x0000000013AF0000-memory.dmp
memory/5012-24-0x0000000013D00000-0x0000000013D20000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win7-20241010-en
Max time kernel
1789s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1504 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1504 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1504 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1504 wrote to memory of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1280-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-8-0x0000000000340000-0x0000000000360000-memory.dmp
memory/1280-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1280-17-0x0000000001AF0000-0x0000000001B10000-memory.dmp
memory/1280-16-0x0000000001AD0000-0x0000000001AF0000-memory.dmp
memory/1280-19-0x0000000001AF0000-0x0000000001B10000-memory.dmp
memory/1280-18-0x0000000001AD0000-0x0000000001AF0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win7-20240903-en
Max time kernel
292s
Max time network
1791s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2784 set thread context of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2784 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2784 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2784 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2784 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2140-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-8-0x0000000000040000-0x0000000000060000-memory.dmp
memory/2140-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2140-17-0x0000000001B00000-0x0000000001B20000-memory.dmp
memory/2140-16-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/2140-19-0x0000000001B00000-0x0000000001B20000-memory.dmp
memory/2140-18-0x00000000003B0000-0x00000000003D0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1792s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3344 set thread context of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3344 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3344 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3344 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3344 wrote to memory of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1816-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-8-0x0000000000FE0000-0x0000000001000000-memory.dmp
memory/1816-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-16-0x0000000013190000-0x00000000131B0000-memory.dmp
memory/1816-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1816-21-0x00000000139F0000-0x0000000013A10000-memory.dmp
memory/1816-22-0x0000000013C20000-0x0000000013C40000-memory.dmp
memory/1816-23-0x00000000139F0000-0x0000000013A10000-memory.dmp
memory/1816-24-0x0000000013C20000-0x0000000013C40000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10v2004-20241007-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1808 set thread context of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1808 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1808 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1808 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1808 wrote to memory of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3556-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-8-0x0000000002BC0000-0x0000000002BE0000-memory.dmp
memory/3556-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-16-0x0000000002CF0000-0x0000000002D10000-memory.dmp
memory/3556-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-22-0x0000000013A50000-0x0000000013A70000-memory.dmp
memory/3556-21-0x0000000013820000-0x0000000013840000-memory.dmp
memory/3556-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3556-23-0x0000000013820000-0x0000000013840000-memory.dmp
memory/3556-24-0x0000000013A50000-0x0000000013A70000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:29
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3496 set thread context of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3496 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3496 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3496 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3496 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3496 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1696-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-8-0x0000000000C10000-0x0000000000C30000-memory.dmp
memory/1696-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-16-0x0000000000C40000-0x0000000000C60000-memory.dmp
memory/1696-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-21-0x00000000133F0000-0x0000000013410000-memory.dmp
memory/1696-22-0x0000000013620000-0x0000000013640000-memory.dmp
memory/1696-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1696-23-0x00000000133F0000-0x0000000013410000-memory.dmp
memory/1696-24-0x0000000013620000-0x0000000013640000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
298s
Max time network
1806s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 848 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 848 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 848 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 848 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 848 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 848 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2340-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-8-0x0000000000230000-0x0000000000250000-memory.dmp
memory/2340-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-17-0x0000000001B10000-0x0000000001B30000-memory.dmp
memory/2340-16-0x0000000001AF0000-0x0000000001B10000-memory.dmp
memory/2340-19-0x0000000001B10000-0x0000000001B30000-memory.dmp
memory/2340-18-0x0000000001AF0000-0x0000000001B10000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:41
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3208 set thread context of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3208 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3208 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3208 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3208 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3208 wrote to memory of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/852-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-8-0x0000000000F60000-0x0000000000F80000-memory.dmp
memory/852-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-16-0x00007FFAFCD80000-0x00007FFAFD076000-memory.dmp
memory/852-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/852-19-0x0000000140000000-0x0000000140835000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4264 set thread context of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4264 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4264 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4264 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4264 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4264 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3528-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-8-0x0000000001360000-0x0000000001380000-memory.dmp
memory/3528-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-16-0x0000000001380000-0x00000000013A0000-memory.dmp
memory/3528-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3528-22-0x0000000002DB0000-0x0000000002DD0000-memory.dmp
memory/3528-21-0x0000000002D90000-0x0000000002DB0000-memory.dmp
memory/3528-24-0x0000000002DB0000-0x0000000002DD0000-memory.dmp
memory/3528-23-0x0000000002D90000-0x0000000002DB0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5424 set thread context of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5424 wrote to memory of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 5424 wrote to memory of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 5424 wrote to memory of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 5424 wrote to memory of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 5424 wrote to memory of 6100 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 121.224.19.162.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/6100-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-8-0x0000000000830000-0x0000000000850000-memory.dmp
memory/6100-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-16-0x0000000000960000-0x0000000000980000-memory.dmp
memory/6100-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6100-21-0x00000000022F0000-0x0000000002310000-memory.dmp
memory/6100-22-0x0000000002310000-0x0000000002330000-memory.dmp
memory/6100-23-0x00000000022F0000-0x0000000002310000-memory.dmp
memory/6100-24-0x0000000002310000-0x0000000002330000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1740 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1740 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1740 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1740 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 2.17.178.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4088-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-8-0x0000000000D30000-0x0000000000D50000-memory.dmp
memory/4088-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-16-0x00000000010F0000-0x0000000001110000-memory.dmp
memory/4088-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-21-0x0000000013550000-0x0000000013570000-memory.dmp
memory/4088-22-0x0000000013780000-0x00000000137A0000-memory.dmp
memory/4088-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4088-24-0x0000000013780000-0x00000000137A0000-memory.dmp
memory/4088-23-0x0000000013550000-0x0000000013570000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2300 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2300 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2300 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2300 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3472-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-8-0x00000000009A0000-0x00000000009C0000-memory.dmp
memory/3472-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-16-0x0000000002200000-0x0000000002220000-memory.dmp
memory/3472-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3472-21-0x0000000012EA0000-0x0000000012EC0000-memory.dmp
memory/3472-22-0x00000000130D0000-0x00000000130F0000-memory.dmp
memory/3472-23-0x0000000012EA0000-0x0000000012EC0000-memory.dmp
memory/3472-24-0x00000000130D0000-0x00000000130F0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:59
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4252 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4252 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4252 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4252 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4252 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4252 wrote to memory of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1456-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-8-0x00000000009E0000-0x0000000000A00000-memory.dmp
memory/1456-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-16-0x0000000000D60000-0x0000000000D80000-memory.dmp
memory/1456-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1456-21-0x0000000001040000-0x0000000001060000-memory.dmp
memory/1456-22-0x0000000001100000-0x0000000001120000-memory.dmp
memory/1456-23-0x0000000001040000-0x0000000001060000-memory.dmp
memory/1456-24-0x0000000001100000-0x0000000001120000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win7-20240903-en
Max time kernel
286s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2600 wrote to memory of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2600 wrote to memory of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2600 wrote to memory of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2600 wrote to memory of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2808-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-8-0x0000000000230000-0x0000000000250000-memory.dmp
memory/2808-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-17-0x0000000001C50000-0x0000000001C70000-memory.dmp
memory/2808-18-0x0000000001CF0000-0x0000000001D10000-memory.dmp
memory/2808-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2808-20-0x0000000001C50000-0x0000000001C70000-memory.dmp
memory/2808-21-0x0000000001CF0000-0x0000000001D10000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4924 set thread context of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4924 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4924 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4924 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4924 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4924 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4380-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-8-0x0000000000C60000-0x0000000000C80000-memory.dmp
memory/4380-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-16-0x0000000002440000-0x0000000002460000-memory.dmp
memory/4380-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-21-0x0000000002490000-0x00000000024B0000-memory.dmp
memory/4380-22-0x0000000013200000-0x0000000013220000-memory.dmp
memory/4380-23-0x0000000002490000-0x00000000024B0000-memory.dmp
memory/4380-24-0x0000000013200000-0x0000000013220000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 11:47
Platform
win7-20241010-en
Max time kernel
266s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2536 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2536 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2536 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2536 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2856-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2856-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2856-16-0x0000000000370000-0x0000000000390000-memory.dmp
memory/2856-17-0x0000000000390000-0x00000000003B0000-memory.dmp
memory/2856-18-0x0000000000370000-0x0000000000390000-memory.dmp
memory/2856-19-0x0000000000390000-0x00000000003B0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 10:52
Reported
2024-11-13 12:00
Platform
win10v2004-20241007-en
Max time kernel
1798s
Max time network
1802s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3852 set thread context of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3852 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3852 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4676-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-8-0x0000000000870000-0x0000000000890000-memory.dmp
memory/4676-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-16-0x0000000000BE0000-0x0000000000C00000-memory.dmp
memory/4676-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-22-0x00000000131F0000-0x0000000013210000-memory.dmp
memory/4676-21-0x0000000012FC0000-0x0000000012FE0000-memory.dmp
memory/4676-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4676-24-0x00000000131F0000-0x0000000013210000-memory.dmp
memory/4676-23-0x0000000012FC0000-0x0000000012FE0000-memory.dmp