Malware Analysis Report

2024-12-07 09:51

Sample ID 241113-pygrlasejl
Target Triage.zip
SHA256 cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b

Threat Level: Known bad

The file Triage.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

xmrig

Xmrig family

XMRig Miner payload

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20240903-en

Max time kernel

294s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2748-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-8-0x0000000000230000-0x0000000000250000-memory.dmp

memory/2748-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2748-17-0x0000000002490000-0x00000000024B0000-memory.dmp

memory/2748-16-0x0000000002310000-0x0000000002330000-memory.dmp

memory/2748-19-0x0000000002490000-0x00000000024B0000-memory.dmp

memory/2748-18-0x0000000002310000-0x0000000002330000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 936 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/964-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-8-0x0000000000E40000-0x0000000000E60000-memory.dmp

memory/964-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-16-0x0000000000E70000-0x0000000000E90000-memory.dmp

memory/964-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/964-21-0x00000000011E0000-0x0000000001200000-memory.dmp

memory/964-22-0x0000000001200000-0x0000000001220000-memory.dmp

memory/964-23-0x00000000011E0000-0x0000000001200000-memory.dmp

memory/964-24-0x0000000001200000-0x0000000001220000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1264 set thread context of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4908-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-8-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

memory/4908-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-16-0x0000000000F70000-0x0000000000F90000-memory.dmp

memory/4908-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-21-0x0000000002B90000-0x0000000002BB0000-memory.dmp

memory/4908-22-0x0000000002BB0000-0x0000000002BD0000-memory.dmp

memory/4908-23-0x0000000002B90000-0x0000000002BB0000-memory.dmp

memory/4908-24-0x0000000002BB0000-0x0000000002BD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20241010-en

Max time kernel

251s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2184 set thread context of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3064-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/3064-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3064-16-0x0000000000120000-0x0000000000140000-memory.dmp

memory/3064-17-0x0000000001B30000-0x0000000001B50000-memory.dmp

memory/3064-18-0x0000000000120000-0x0000000000140000-memory.dmp

memory/3064-19-0x0000000001B30000-0x0000000001B50000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1028 set thread context of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4944-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-8-0x00000000023D0000-0x00000000023F0000-memory.dmp

memory/4944-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-16-0x0000000002470000-0x0000000002490000-memory.dmp

memory/4944-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4944-22-0x0000000013350000-0x0000000013370000-memory.dmp

memory/4944-21-0x0000000013120000-0x0000000013140000-memory.dmp

memory/4944-23-0x0000000013120000-0x0000000013140000-memory.dmp

memory/4944-24-0x0000000013350000-0x0000000013370000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1228 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3360-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-8-0x0000000000440000-0x0000000000460000-memory.dmp

memory/3360-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-16-0x0000000000800000-0x0000000000820000-memory.dmp

memory/3360-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-22-0x00000000021B0000-0x00000000021D0000-memory.dmp

memory/3360-21-0x0000000002190000-0x00000000021B0000-memory.dmp

memory/3360-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3360-23-0x0000000002190000-0x00000000021B0000-memory.dmp

memory/3360-24-0x00000000021B0000-0x00000000021D0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 3516 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3516-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-8-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/3516-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-16-0x0000000000950000-0x0000000000970000-memory.dmp

memory/3516-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3516-21-0x0000000012D10000-0x0000000012D30000-memory.dmp

memory/3516-22-0x0000000012F40000-0x0000000012F60000-memory.dmp

memory/3516-23-0x0000000012D10000-0x0000000012D30000-memory.dmp

memory/3516-24-0x0000000012F40000-0x0000000012F60000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20240903-en

Max time kernel

1800s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1648-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-8-0x0000000000130000-0x0000000000150000-memory.dmp

memory/1648-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1648-17-0x0000000001C70000-0x0000000001C90000-memory.dmp

memory/1648-16-0x0000000000330000-0x0000000000350000-memory.dmp

memory/1648-19-0x0000000001C70000-0x0000000001C90000-memory.dmp

memory/1648-18-0x0000000000330000-0x0000000000350000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20240903-en

Max time kernel

1800s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3028 set thread context of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2776-8-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2776-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-16-0x0000000001BD0000-0x0000000001BF0000-memory.dmp

memory/2776-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2776-17-0x0000000001BF0000-0x0000000001C10000-memory.dmp

memory/2776-18-0x0000000001BD0000-0x0000000001BF0000-memory.dmp

memory/2776-19-0x0000000001BF0000-0x0000000001C10000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4780 set thread context of 3336 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3336-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-8-0x00000000021E0000-0x0000000002200000-memory.dmp

memory/3336-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-16-0x0000000002200000-0x0000000002220000-memory.dmp

memory/3336-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-22-0x0000000013150000-0x0000000013170000-memory.dmp

memory/3336-21-0x0000000012F20000-0x0000000012F40000-memory.dmp

memory/3336-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3336-23-0x0000000012F20000-0x0000000012F40000-memory.dmp

memory/3336-24-0x0000000013150000-0x0000000013170000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1798s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 964 set thread context of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/1372-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-8-0x00000000014A0000-0x00000000014C0000-memory.dmp

memory/1372-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-16-0x0000000002D80000-0x0000000002DA0000-memory.dmp

memory/1372-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1372-22-0x0000000013BE0000-0x0000000013C00000-memory.dmp

memory/1372-21-0x00000000139B0000-0x00000000139D0000-memory.dmp

memory/1372-23-0x00000000139B0000-0x00000000139D0000-memory.dmp

memory/1372-24-0x0000000013BE0000-0x0000000013C00000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3988 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2972-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-8-0x0000000001010000-0x0000000001030000-memory.dmp

memory/2972-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-16-0x0000000001040000-0x0000000001060000-memory.dmp

memory/2972-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-22-0x0000000013750000-0x0000000013770000-memory.dmp

memory/2972-21-0x00000000010C0000-0x00000000010E0000-memory.dmp

memory/2972-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2972-23-0x00000000010C0000-0x00000000010E0000-memory.dmp

memory/2972-24-0x0000000013750000-0x0000000013770000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4000 set thread context of 4372 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4372-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-8-0x00000000003E0000-0x0000000000400000-memory.dmp

memory/4372-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-16-0x0000000000650000-0x0000000000670000-memory.dmp

memory/4372-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4372-22-0x0000000000B40000-0x0000000000B60000-memory.dmp

memory/4372-21-0x0000000000B20000-0x0000000000B40000-memory.dmp

memory/4372-23-0x0000000000B20000-0x0000000000B40000-memory.dmp

memory/4372-24-0x0000000000B40000-0x0000000000B60000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1800s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3256 set thread context of 3148 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3148-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-8-0x0000000000B50000-0x0000000000B70000-memory.dmp

memory/3148-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-16-0x0000000000B80000-0x0000000000BA0000-memory.dmp

memory/3148-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3148-21-0x0000000013240000-0x0000000013260000-memory.dmp

memory/3148-22-0x0000000013470000-0x0000000013490000-memory.dmp

memory/3148-24-0x0000000013470000-0x0000000013490000-memory.dmp

memory/3148-23-0x0000000013240000-0x0000000013260000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4612 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2420-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-8-0x0000000002040000-0x0000000002060000-memory.dmp

memory/2420-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-16-0x0000000002070000-0x0000000002090000-memory.dmp

memory/2420-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2420-22-0x0000000012FC0000-0x0000000012FE0000-memory.dmp

memory/2420-21-0x0000000012D90000-0x0000000012DB0000-memory.dmp

memory/2420-23-0x0000000012D90000-0x0000000012DB0000-memory.dmp

memory/2420-24-0x0000000012FC0000-0x0000000012FE0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2172 set thread context of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4180-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-8-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

memory/4180-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-16-0x0000000000E70000-0x0000000000E90000-memory.dmp

memory/4180-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-20-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4180-22-0x00000000028A0000-0x00000000028C0000-memory.dmp

memory/4180-21-0x0000000002880000-0x00000000028A0000-memory.dmp

memory/4180-23-0x0000000002880000-0x00000000028A0000-memory.dmp

memory/4180-24-0x00000000028A0000-0x00000000028C0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1416 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/3008-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-8-0x0000000001410000-0x0000000001430000-memory.dmp

memory/3008-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-16-0x0000000001540000-0x0000000001560000-memory.dmp

memory/3008-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/3008-21-0x0000000013920000-0x0000000013940000-memory.dmp

memory/3008-22-0x0000000013B50000-0x0000000013B70000-memory.dmp

memory/3008-23-0x0000000013920000-0x0000000013940000-memory.dmp

memory/3008-24-0x0000000013B50000-0x0000000013B70000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20241010-en

Max time kernel

249s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2808 set thread context of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2216-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-8-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2216-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-18-0x0000000001B20000-0x0000000001B40000-memory.dmp

memory/2216-17-0x0000000001B00000-0x0000000001B20000-memory.dmp

memory/2216-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2216-21-0x0000000001B20000-0x0000000001B40000-memory.dmp

memory/2216-20-0x0000000001B00000-0x0000000001B20000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1800s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3396 set thread context of 4908 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4908-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-8-0x0000000001440000-0x0000000001460000-memory.dmp

memory/4908-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-16-0x0000000001470000-0x0000000001490000-memory.dmp

memory/4908-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4908-21-0x0000000002C90000-0x0000000002CB0000-memory.dmp

memory/4908-22-0x0000000002CB0000-0x0000000002CD0000-memory.dmp

memory/4908-23-0x0000000002C90000-0x0000000002CB0000-memory.dmp

memory/4908-24-0x0000000002CB0000-0x0000000002CD0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3608 set thread context of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2836-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-8-0x0000000000720000-0x0000000000740000-memory.dmp

memory/2836-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-16-0x00000000007C0000-0x00000000007E0000-memory.dmp

memory/2836-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2836-21-0x00000000020D0000-0x00000000020F0000-memory.dmp

memory/2836-22-0x0000000012E50000-0x0000000012E70000-memory.dmp

memory/2836-23-0x00000000020D0000-0x00000000020F0000-memory.dmp

memory/2836-24-0x0000000012E50000-0x0000000012E70000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3784 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2540-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-8-0x0000000000E10000-0x0000000000E30000-memory.dmp

memory/2540-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-16-0x0000000000E30000-0x0000000000E50000-memory.dmp

memory/2540-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2540-22-0x0000000002870000-0x0000000002890000-memory.dmp

memory/2540-21-0x0000000002850000-0x0000000002870000-memory.dmp

memory/2540-23-0x0000000002850000-0x0000000002870000-memory.dmp

memory/2540-24-0x0000000002870000-0x0000000002890000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win11-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 580 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2336-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-8-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

memory/2336-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-16-0x0000000000B50000-0x0000000000B70000-memory.dmp

memory/2336-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2336-21-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

memory/2336-22-0x0000000000BE0000-0x0000000000C00000-memory.dmp

memory/2336-23-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

memory/2336-24-0x0000000000BE0000-0x0000000000C00000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win7-20241010-en

Max time kernel

265s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1064 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2720-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-8-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2720-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-15-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-17-0x0000000002300000-0x0000000002320000-memory.dmp

memory/2720-16-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

memory/2720-19-0x0000000002300000-0x0000000002320000-memory.dmp

memory/2720-18-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10v2004-20241007-en

Max time kernel

1799s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3148 set thread context of 4960 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/4960-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-8-0x0000000000DA0000-0x0000000000DC0000-memory.dmp

memory/4960-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-16-0x0000000000E50000-0x0000000000E70000-memory.dmp

memory/4960-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/4960-22-0x00000000134E0000-0x0000000013500000-memory.dmp

memory/4960-21-0x00000000132B0000-0x00000000132D0000-memory.dmp

memory/4960-24-0x00000000134E0000-0x0000000013500000-memory.dmp

memory/4960-23-0x00000000132B0000-0x00000000132D0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 12:44

Reported

2024-11-13 13:14

Platform

win10ltsc2021-20241023-en

Max time kernel

1798s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3912 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe

"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:10300 xmr-eu1.nanopool.org tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 10.53.154.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp
US 104.154.53.10:80 104.154.53.10 tcp

Files

memory/2720-2-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-1-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-4-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-8-0x0000000000A10000-0x0000000000A30000-memory.dmp

memory/2720-6-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-5-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-3-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-7-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-12-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-11-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-10-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-9-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-13-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-14-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-16-0x00000000022F0000-0x0000000002310000-memory.dmp

memory/2720-17-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-19-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-18-0x0000000140000000-0x0000000140835000-memory.dmp

memory/2720-21-0x0000000012F20000-0x0000000012F40000-memory.dmp

memory/2720-22-0x0000000013150000-0x0000000013170000-memory.dmp

memory/2720-23-0x0000000012F20000-0x0000000012F40000-memory.dmp

memory/2720-24-0x0000000013150000-0x0000000013170000-memory.dmp