Analysis Overview
SHA256
cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Threat Level: Known bad
The file Triage.zip was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 12:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win7-20241023-en
Max time kernel
1200s
Max time network
1193s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2396 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2396 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2396 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2396 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2396 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2624-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2624-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-17-0x0000000000350000-0x0000000000370000-memory.dmp
memory/2624-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-18-0x0000000000370000-0x0000000000390000-memory.dmp
memory/2624-16-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2624-20-0x0000000000350000-0x0000000000370000-memory.dmp
memory/2624-21-0x0000000000370000-0x0000000000390000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win7-20240903-en
Max time kernel
217s
Max time network
1204s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1860 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1860 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1860 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1860 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1860 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2964-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2964-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-16-0x0000000000150000-0x0000000000170000-memory.dmp
memory/2964-17-0x00000000002F0000-0x0000000000310000-memory.dmp
memory/2964-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-18-0x0000000000150000-0x0000000000170000-memory.dmp
memory/2964-19-0x00000000002F0000-0x0000000000310000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1199s
Max time network
1191s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 924 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 924 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 924 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 924 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 924 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 924 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1212-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-8-0x00000000006D0000-0x00000000006F0000-memory.dmp
memory/1212-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-16-0x0000000000700000-0x0000000000720000-memory.dmp
memory/1212-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1212-21-0x0000000012EB0000-0x0000000012ED0000-memory.dmp
memory/1212-22-0x00000000130E0000-0x0000000013100000-memory.dmp
memory/1212-23-0x0000000012EB0000-0x0000000012ED0000-memory.dmp
memory/1212-24-0x00000000130E0000-0x0000000013100000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win11-20241007-en
Max time kernel
1200s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 6012 set thread context of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6012 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 6012 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 6012 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 6012 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 6012 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4828-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-8-0x0000000000C00000-0x0000000000C20000-memory.dmp
memory/4828-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-16-0x0000000002630000-0x0000000002650000-memory.dmp
memory/4828-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4828-21-0x0000000002650000-0x0000000002670000-memory.dmp
memory/4828-22-0x0000000002670000-0x0000000002690000-memory.dmp
memory/4828-23-0x0000000002650000-0x0000000002670000-memory.dmp
memory/4828-24-0x0000000002670000-0x0000000002690000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1199s
Max time network
1204s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4356 set thread context of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4356 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4356 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4356 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4356 wrote to memory of 4412 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4412-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-8-0x00000000013F0000-0x0000000001410000-memory.dmp
memory/4412-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-16-0x0000000001420000-0x0000000001440000-memory.dmp
memory/4412-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-22-0x0000000002DE0000-0x0000000002E00000-memory.dmp
memory/4412-21-0x0000000002DC0000-0x0000000002DE0000-memory.dmp
memory/4412-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4412-24-0x0000000002DE0000-0x0000000002E00000-memory.dmp
memory/4412-23-0x0000000002DC0000-0x0000000002DE0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1199s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 232 set thread context of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 232 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/472-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-8-0x0000000000DE0000-0x0000000000E00000-memory.dmp
memory/472-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-16-0x0000000000E80000-0x0000000000EA0000-memory.dmp
memory/472-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-22-0x0000000013500000-0x0000000013520000-memory.dmp
memory/472-21-0x0000000002890000-0x00000000028B0000-memory.dmp
memory/472-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/472-23-0x0000000002890000-0x00000000028B0000-memory.dmp
memory/472-24-0x0000000013500000-0x0000000013520000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win11-20241007-en
Max time kernel
1200s
Max time network
1201s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3508 set thread context of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3508 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3508 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3508 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3508 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3508 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4788-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-8-0x0000000000720000-0x0000000000740000-memory.dmp
memory/4788-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-16-0x0000000000750000-0x0000000000770000-memory.dmp
memory/4788-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-21-0x0000000001F60000-0x0000000001F80000-memory.dmp
memory/4788-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4788-22-0x0000000012E50000-0x0000000012E70000-memory.dmp
memory/4788-23-0x0000000001F60000-0x0000000001F80000-memory.dmp
memory/4788-24-0x0000000012E50000-0x0000000012E70000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1199s
Max time network
1201s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3780 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3780 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3780 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3780 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3780 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 3780 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2964-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-8-0x0000000000E70000-0x0000000000E90000-memory.dmp
memory/2964-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-16-0x0000000001170000-0x0000000001190000-memory.dmp
memory/2964-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-22-0x00000000138C0000-0x00000000138E0000-memory.dmp
memory/2964-21-0x00000000029D0000-0x00000000029F0000-memory.dmp
memory/2964-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2964-23-0x00000000029D0000-0x00000000029F0000-memory.dmp
memory/2964-24-0x00000000138C0000-0x00000000138E0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1200s
Max time network
1193s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2816 wrote to memory of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2816 wrote to memory of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2816 wrote to memory of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2816 wrote to memory of 3648 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3648-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-8-0x0000000000C10000-0x0000000000C30000-memory.dmp
memory/3648-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-16-0x0000000002560000-0x0000000002580000-memory.dmp
memory/3648-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3648-22-0x0000000013260000-0x0000000013280000-memory.dmp
memory/3648-21-0x0000000013020000-0x0000000013040000-memory.dmp
memory/3648-24-0x0000000013260000-0x0000000013280000-memory.dmp
memory/3648-23-0x0000000013020000-0x0000000013040000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win7-20240708-en
Max time kernel
1199s
Max time network
1196s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2360 set thread context of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2360 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2360 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2360 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2360 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1928-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-8-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/1928-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-16-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-17-0x0000000001C50000-0x0000000001C70000-memory.dmp
memory/1928-18-0x0000000001C70000-0x0000000001C90000-memory.dmp
memory/1928-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1928-20-0x0000000001C50000-0x0000000001C70000-memory.dmp
memory/1928-21-0x0000000001C70000-0x0000000001C90000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:03
Platform
win10v2004-20241007-en
Max time kernel
1199s
Max time network
1205s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4744 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4744 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4744 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4744 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4744 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2492-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-8-0x0000000000E30000-0x0000000000E50000-memory.dmp
memory/2492-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-16-0x0000000000E60000-0x0000000000E80000-memory.dmp
memory/2492-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-22-0x0000000013470000-0x0000000013490000-memory.dmp
memory/2492-21-0x0000000013240000-0x0000000013260000-memory.dmp
memory/2492-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2492-23-0x0000000013240000-0x0000000013260000-memory.dmp
memory/2492-24-0x0000000013470000-0x0000000013490000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win7-20240903-en
Max time kernel
213s
Max time network
1195s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2344 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2344 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1676-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1676-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-16-0x0000000001C60000-0x0000000001C80000-memory.dmp
memory/1676-17-0x00000000023A0000-0x00000000023C0000-memory.dmp
memory/1676-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1676-18-0x0000000001C60000-0x0000000001C80000-memory.dmp
memory/1676-19-0x00000000023A0000-0x00000000023C0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win11-20241007-en
Max time kernel
1199s
Max time network
1195s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4860 set thread context of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4860 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4860 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4860 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4860 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4896-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-8-0x0000000000A50000-0x0000000000A70000-memory.dmp
memory/4896-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-16-0x0000000000DE0000-0x0000000000E00000-memory.dmp
memory/4896-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-21-0x0000000000E40000-0x0000000000E60000-memory.dmp
memory/4896-22-0x0000000013450000-0x0000000013470000-memory.dmp
memory/4896-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4896-24-0x0000000013450000-0x0000000013470000-memory.dmp
memory/4896-23-0x0000000000E40000-0x0000000000E60000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1199s
Max time network
1195s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4132 set thread context of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4132 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4132 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4132 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4132 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4132 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3164-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-8-0x0000000000540000-0x0000000000560000-memory.dmp
memory/3164-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-16-0x0000000012750000-0x0000000012770000-memory.dmp
memory/3164-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-22-0x0000000012EC0000-0x0000000012EE0000-memory.dmp
memory/3164-21-0x0000000012C90000-0x0000000012CB0000-memory.dmp
memory/3164-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3164-24-0x0000000012EC0000-0x0000000012EE0000-memory.dmp
memory/3164-23-0x0000000012C90000-0x0000000012CB0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:03
Platform
win10ltsc2021-20241023-en
Max time kernel
1199s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2264 set thread context of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2264 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2264 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2264 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2264 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.31.169.57:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3920-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-8-0x0000000000490000-0x00000000004B0000-memory.dmp
memory/3920-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-16-0x00000000021B0000-0x00000000021D0000-memory.dmp
memory/3920-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3920-21-0x0000000012C60000-0x0000000012C80000-memory.dmp
memory/3920-22-0x0000000012E90000-0x0000000012EB0000-memory.dmp
memory/3920-23-0x0000000012C60000-0x0000000012C80000-memory.dmp
memory/3920-24-0x0000000012E90000-0x0000000012EB0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1199s
Max time network
1194s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1164 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1164 wrote to memory of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1164 wrote to memory of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1164 wrote to memory of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1164 wrote to memory of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1164 wrote to memory of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5056-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-8-0x0000000000A90000-0x0000000000AB0000-memory.dmp
memory/5056-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-16-0x0000000012920000-0x0000000012940000-memory.dmp
memory/5056-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5056-21-0x00000000131A0000-0x00000000131C0000-memory.dmp
memory/5056-22-0x00000000133D0000-0x00000000133F0000-memory.dmp
memory/5056-23-0x00000000131A0000-0x00000000131C0000-memory.dmp
memory/5056-24-0x00000000133D0000-0x00000000133F0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1199s
Max time network
1203s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1832 set thread context of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1832 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3616-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-8-0x0000000000DE0000-0x0000000000E00000-memory.dmp
memory/3616-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-16-0x00000000013E0000-0x0000000001400000-memory.dmp
memory/3616-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3616-21-0x0000000002DF0000-0x0000000002E10000-memory.dmp
memory/3616-22-0x0000000002E10000-0x0000000002E30000-memory.dmp
memory/3616-24-0x0000000002E10000-0x0000000002E30000-memory.dmp
memory/3616-23-0x0000000002DF0000-0x0000000002E10000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1200s
Max time network
1203s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 392 set thread context of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 392 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 392 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 392 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 392 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/664-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-8-0x0000000000770000-0x0000000000790000-memory.dmp
memory/664-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-16-0x0000000000B40000-0x0000000000B60000-memory.dmp
memory/664-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-22-0x0000000002360000-0x0000000002380000-memory.dmp
memory/664-21-0x0000000002340000-0x0000000002360000-memory.dmp
memory/664-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/664-23-0x0000000002340000-0x0000000002360000-memory.dmp
memory/664-24-0x0000000002360000-0x0000000002380000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1200s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4464 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4464 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4464 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4464 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3692-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-8-0x0000000000840000-0x0000000000860000-memory.dmp
memory/3692-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-16-0x0000000000C00000-0x0000000000C20000-memory.dmp
memory/3692-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3692-21-0x0000000012F40000-0x0000000012F60000-memory.dmp
memory/3692-22-0x0000000013170000-0x0000000013190000-memory.dmp
memory/3692-23-0x0000000012F40000-0x0000000012F60000-memory.dmp
memory/3692-24-0x0000000013170000-0x0000000013190000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win11-20241007-en
Max time kernel
1199s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4312 set thread context of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4312 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4312 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4312 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4312 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 4312 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3496-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-8-0x0000000000740000-0x0000000000760000-memory.dmp
memory/3496-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-16-0x0000000000770000-0x0000000000790000-memory.dmp
memory/3496-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3496-22-0x0000000012E70000-0x0000000012E90000-memory.dmp
memory/3496-21-0x0000000012C40000-0x0000000012C60000-memory.dmp
memory/3496-24-0x0000000012E70000-0x0000000012E90000-memory.dmp
memory/3496-23-0x0000000012C40000-0x0000000012C60000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10v2004-20241007-en
Max time kernel
1200s
Max time network
1201s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2400 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4580-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-8-0x00000000006E0000-0x0000000000700000-memory.dmp
memory/4580-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-16-0x0000000000A20000-0x0000000000A40000-memory.dmp
memory/4580-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-22-0x0000000013030000-0x0000000013050000-memory.dmp
memory/4580-21-0x0000000012E00000-0x0000000012E20000-memory.dmp
memory/4580-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4580-23-0x0000000012E00000-0x0000000012E20000-memory.dmp
memory/4580-24-0x0000000013030000-0x0000000013050000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win7-20241010-en
Max time kernel
1200s
Max time network
1202s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2472 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2472 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2472 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2472 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2472 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2472 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2804-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2804-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2804-16-0x0000000000150000-0x0000000000170000-memory.dmp
memory/2804-17-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2804-18-0x0000000000150000-0x0000000000170000-memory.dmp
memory/2804-19-0x0000000000170000-0x0000000000190000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win10ltsc2021-20241023-en
Max time kernel
1199s
Max time network
1196s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2492 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2492 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2492 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2492 wrote to memory of 340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/340-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-8-0x0000000000CA0000-0x0000000000CC0000-memory.dmp
memory/340-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-16-0x0000000002610000-0x0000000002630000-memory.dmp
memory/340-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/340-21-0x0000000002660000-0x0000000002680000-memory.dmp
memory/340-22-0x00000000132D0000-0x00000000132F0000-memory.dmp
memory/340-23-0x0000000002660000-0x0000000002680000-memory.dmp
memory/340-24-0x00000000132D0000-0x00000000132F0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:03
Platform
win11-20241007-en
Max time kernel
1198s
Max time network
1201s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3468 set thread context of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3468 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3468 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3468 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3468 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3468 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1608-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-8-0x0000000002D50000-0x0000000002D70000-memory.dmp
memory/1608-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-16-0x0000000002F80000-0x0000000002FA0000-memory.dmp
memory/1608-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1608-22-0x0000000013CF0000-0x0000000013D10000-memory.dmp
memory/1608-21-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
memory/1608-23-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
memory/1608-24-0x0000000013CF0000-0x0000000013D10000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 12:42
Reported
2024-11-13 13:02
Platform
win11-20241007-en
Max time kernel
1199s
Max time network
1194s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4268 set thread context of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4268 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4268 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4268 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4268 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4268 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2432-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-8-0x0000000000E20000-0x0000000000E40000-memory.dmp
memory/2432-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-16-0x0000000000E50000-0x0000000000E70000-memory.dmp
memory/2432-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-21-0x0000000002760000-0x0000000002780000-memory.dmp
memory/2432-22-0x0000000002780000-0x00000000027A0000-memory.dmp
memory/2432-23-0x0000000002760000-0x0000000002780000-memory.dmp
memory/2432-24-0x0000000002780000-0x00000000027A0000-memory.dmp