Malware Analysis Report

2024-12-07 07:38

Sample ID 241113-mz865azmdx
Target Triage.zip
SHA256 cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b

Threat Level: Known bad

The file Triage.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

Xmrig family

xmrig

XMRig Miner payload

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

1798s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 268 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/268-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-8-0x0000000000350000-0x0000000000370000-memory.dmp

memory/268-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-17-0x0000000002310000-0x0000000002330000-memory.dmp

memory/268-16-0x00000000003B0000-0x00000000003D0000-memory.dmp

memory/268-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/268-19-0x0000000002310000-0x0000000002330000-memory.dmp

memory/268-18-0x00000000003B0000-0x00000000003D0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 472 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/472-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-8-0x00000000006A0000-0x00000000006C0000-memory.dmp

memory/472-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-16-0x00000000006C0000-0x00000000006E0000-memory.dmp

memory/472-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/472-21-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

memory/472-22-0x0000000001FF0000-0x0000000002010000-memory.dmp

memory/472-23-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

memory/472-24-0x0000000001FF0000-0x0000000002010000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3344-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-8-0x0000000001720000-0x0000000001740000-memory.dmp

memory/3344-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-16-0x00007FFCCE050000-0x00007FFCCE7FE000-memory.dmp

memory/3344-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3344-18-0x0000000140000000-0x0000000140835000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

290s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2324 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2004-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-8-0x00000000000D0000-0x00000000000F0000-memory.dmp

memory/2004-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-17-0x0000000002320000-0x0000000002340000-memory.dmp

memory/2004-16-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2004-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2004-19-0x0000000002320000-0x0000000002340000-memory.dmp

memory/2004-18-0x00000000001C0000-0x00000000001E0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1806s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 114.137.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4844-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-8-0x0000000000C00000-0x0000000000C20000-memory.dmp

memory/4844-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-16-0x0000000000C30000-0x0000000000C50000-memory.dmp

memory/4844-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4844-22-0x0000000013610000-0x0000000013630000-memory.dmp

memory/4844-21-0x0000000002910000-0x0000000002930000-memory.dmp

memory/4844-23-0x0000000002910000-0x0000000002930000-memory.dmp

memory/4844-24-0x0000000013610000-0x0000000013630000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

1799s

Max time network

1785s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1860 set thread context of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1344-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1344-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-16-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-17-0x0000000000470000-0x0000000000490000-memory.dmp

memory/1344-18-0x00000000023D0000-0x00000000023F0000-memory.dmp

memory/1344-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1344-20-0x0000000000470000-0x0000000000490000-memory.dmp

memory/1344-21-0x00000000023D0000-0x00000000023F0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

302s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2860-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2860-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-16-0x00000000002C0000-0x00000000002E0000-memory.dmp

memory/2860-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2860-17-0x00000000002E0000-0x0000000000300000-memory.dmp

memory/2860-18-0x00000000002C0000-0x00000000002E0000-memory.dmp

memory/2860-19-0x00000000002E0000-0x0000000000300000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

315s

Max time network

1790s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2896 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2968-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2968-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-17-0x0000000002320000-0x0000000002340000-memory.dmp

memory/2968-16-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2968-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2968-18-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2968-19-0x0000000002320000-0x0000000002340000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:42

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3416 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1992-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-8-0x00000000010E0000-0x0000000001100000-memory.dmp

memory/1992-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-16-0x0000000001120000-0x0000000001140000-memory.dmp

memory/1992-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1992-21-0x0000000001490000-0x00000000014B0000-memory.dmp

memory/1992-22-0x00000000014B0000-0x00000000014D0000-memory.dmp

memory/1992-23-0x0000000001490000-0x00000000014B0000-memory.dmp

memory/1992-24-0x00000000014B0000-0x00000000014D0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1805s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4920 set thread context of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/5020-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-8-0x0000000002090000-0x00000000020B0000-memory.dmp

memory/5020-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-16-0x00000000020B0000-0x00000000020D0000-memory.dmp

memory/5020-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5020-21-0x0000000012CE0000-0x0000000012D00000-memory.dmp

memory/5020-22-0x0000000012F10000-0x0000000012F30000-memory.dmp

memory/5020-23-0x0000000012CE0000-0x0000000012D00000-memory.dmp

memory/5020-24-0x0000000012F10000-0x0000000012F30000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:43

Platform

win7-20241010-en

Max time kernel

257s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 104.154.53.10:80 104.154.53.10 tcp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3020-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/3020-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3020-16-0x0000000000300000-0x0000000000320000-memory.dmp

memory/3020-17-0x0000000001B50000-0x0000000001B70000-memory.dmp

memory/3020-18-0x0000000000300000-0x0000000000320000-memory.dmp

memory/3020-19-0x0000000001B50000-0x0000000001B70000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3312 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3040-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-8-0x0000000001770000-0x0000000001790000-memory.dmp

memory/3040-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-16-0x0000000002EC0000-0x0000000002EE0000-memory.dmp

memory/3040-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3040-22-0x0000000013D10000-0x0000000013D30000-memory.dmp

memory/3040-21-0x0000000013AE0000-0x0000000013B00000-memory.dmp

memory/3040-23-0x0000000013AE0000-0x0000000013B00000-memory.dmp

memory/3040-24-0x0000000013D10000-0x0000000013D30000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2688 set thread context of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4920-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-8-0x0000000001450000-0x0000000001470000-memory.dmp

memory/4920-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-16-0x00007FF90C3D0000-0x00007FF90CB7E000-memory.dmp

memory/4920-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4920-19-0x0000000140000000-0x0000000140835000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2972-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-8-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/2972-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-16-0x0000000000F10000-0x0000000000F30000-memory.dmp

memory/2972-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-21-0x0000000001170000-0x0000000001190000-memory.dmp

memory/2972-22-0x0000000002B40000-0x0000000002B60000-memory.dmp

memory/2972-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-23-0x0000000001170000-0x0000000001190000-memory.dmp

memory/2972-24-0x0000000002B40000-0x0000000002B60000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 440 set thread context of 3948 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3948-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-8-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

memory/3948-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-16-0x0000000001050000-0x0000000001070000-memory.dmp

memory/3948-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-22-0x00000000136D0000-0x00000000136F0000-memory.dmp

memory/3948-21-0x00000000134A0000-0x00000000134C0000-memory.dmp

memory/3948-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3948-23-0x00000000134A0000-0x00000000134C0000-memory.dmp

memory/3948-24-0x00000000136D0000-0x00000000136F0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2908 set thread context of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2224-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-8-0x0000000002D40000-0x0000000002D60000-memory.dmp

memory/2224-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-16-0x0000000002DF0000-0x0000000002E10000-memory.dmp

memory/2224-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2224-22-0x0000000013BD0000-0x0000000013BF0000-memory.dmp

memory/2224-21-0x00000000139A0000-0x00000000139C0000-memory.dmp

memory/2224-24-0x0000000013BD0000-0x0000000013BF0000-memory.dmp

memory/2224-23-0x00000000139A0000-0x00000000139C0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1588 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2476-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-8-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2476-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-17-0x0000000000360000-0x0000000000380000-memory.dmp

memory/2476-16-0x0000000000340000-0x0000000000360000-memory.dmp

memory/2476-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2476-18-0x0000000000340000-0x0000000000360000-memory.dmp

memory/2476-19-0x0000000000360000-0x0000000000380000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3688-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-8-0x0000000001020000-0x0000000001040000-memory.dmp

memory/3688-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-16-0x0000000001050000-0x0000000001070000-memory.dmp

memory/3688-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3688-22-0x0000000013770000-0x0000000013790000-memory.dmp

memory/3688-21-0x0000000013540000-0x0000000013560000-memory.dmp

memory/3688-24-0x0000000013770000-0x0000000013790000-memory.dmp

memory/3688-23-0x0000000013540000-0x0000000013560000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:42

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1820 set thread context of 920 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/920-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-8-0x0000000001240000-0x0000000001260000-memory.dmp

memory/920-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-16-0x0000000002EE0000-0x0000000002F00000-memory.dmp

memory/920-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/920-21-0x0000000013A10000-0x0000000013A30000-memory.dmp

memory/920-22-0x0000000013C40000-0x0000000013C60000-memory.dmp

memory/920-23-0x0000000013A10000-0x0000000013A30000-memory.dmp

memory/920-24-0x0000000013C40000-0x0000000013C60000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1784s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3308 set thread context of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 91.23.89.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1064-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-8-0x0000000000C40000-0x0000000000C60000-memory.dmp

memory/1064-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-16-0x0000000012740000-0x0000000012760000-memory.dmp

memory/1064-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1064-22-0x0000000013200000-0x0000000013220000-memory.dmp

memory/1064-21-0x00000000131E0000-0x0000000013200000-memory.dmp

memory/1064-24-0x0000000013200000-0x0000000013220000-memory.dmp

memory/1064-23-0x00000000131E0000-0x0000000013200000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1448 set thread context of 4392 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4392-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-8-0x0000000000410000-0x0000000000430000-memory.dmp

memory/4392-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-16-0x0000000000720000-0x0000000000740000-memory.dmp

memory/4392-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4392-21-0x0000000000780000-0x00000000007A0000-memory.dmp

memory/4392-22-0x0000000012E20000-0x0000000012E40000-memory.dmp

memory/4392-23-0x0000000000780000-0x00000000007A0000-memory.dmp

memory/4392-24-0x0000000012E20000-0x0000000012E40000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3904 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2736-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-8-0x0000000001200000-0x0000000001220000-memory.dmp

memory/2736-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-16-0x0000000001540000-0x0000000001560000-memory.dmp

memory/2736-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2736-21-0x0000000002ED0000-0x0000000002EF0000-memory.dmp

memory/2736-22-0x0000000002EF0000-0x0000000002F10000-memory.dmp

memory/2736-23-0x0000000002ED0000-0x0000000002EF0000-memory.dmp

memory/2736-24-0x0000000002EF0000-0x0000000002F10000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:42

Platform

win10ltsc2021-20241023-en

Max time kernel

1800s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5084 set thread context of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 114.137.37.54.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/5096-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-8-0x00000000005F0000-0x0000000000610000-memory.dmp

memory/5096-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-16-0x0000000000960000-0x0000000000980000-memory.dmp

memory/5096-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5096-21-0x0000000002270000-0x0000000002290000-memory.dmp

memory/5096-22-0x0000000002290000-0x00000000022B0000-memory.dmp

memory/5096-23-0x0000000002270000-0x0000000002290000-memory.dmp

memory/5096-24-0x0000000002290000-0x00000000022B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win7-20240903-en

Max time kernel

317s

Max time network

1786s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2348 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2484-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-8-0x0000000000040000-0x0000000000060000-memory.dmp

memory/2484-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2484-17-0x0000000001BD0000-0x0000000001BF0000-memory.dmp

memory/2484-16-0x0000000001BB0000-0x0000000001BD0000-memory.dmp

memory/2484-19-0x0000000001BD0000-0x0000000001BF0000-memory.dmp

memory/2484-18-0x0000000001BB0000-0x0000000001BD0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:55

Reported

2024-11-13 11:37

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1392 set thread context of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3372-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-8-0x0000000000A80000-0x0000000000AA0000-memory.dmp

memory/3372-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-16-0x0000000000B30000-0x0000000000B50000-memory.dmp

memory/3372-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3372-22-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/3372-21-0x0000000012FA0000-0x0000000012FC0000-memory.dmp

memory/3372-24-0x00000000131D0000-0x00000000131F0000-memory.dmp

memory/3372-23-0x0000000012FA0000-0x0000000012FC0000-memory.dmp