Analysis Overview
SHA256
cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Threat Level: Known bad
The file Triage.zip was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-16 18:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 396 set thread context of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 396 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 396 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 396 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 396 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 396 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2164-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-8-0x0000000000840000-0x0000000000860000-memory.dmp
memory/2164-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-16-0x0000000000860000-0x0000000000880000-memory.dmp
memory/2164-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2164-22-0x0000000000D40000-0x0000000000D60000-memory.dmp
memory/2164-21-0x0000000000D20000-0x0000000000D40000-memory.dmp
memory/2164-24-0x0000000000D40000-0x0000000000D60000-memory.dmp
memory/2164-23-0x0000000000D20000-0x0000000000D40000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1584 set thread context of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1584 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1584 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1584 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1584 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1584 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3976-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-8-0x00000000010B0000-0x00000000010D0000-memory.dmp
memory/3976-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-16-0x00000000010E0000-0x0000000001100000-memory.dmp
memory/3976-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-22-0x0000000013700000-0x0000000013720000-memory.dmp
memory/3976-21-0x0000000002900000-0x0000000002920000-memory.dmp
memory/3976-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3976-23-0x0000000002900000-0x0000000002920000-memory.dmp
memory/3976-24-0x0000000013700000-0x0000000013720000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3124 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3124 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3124 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3124 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3124 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 121.224.19.162.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4380-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-8-0x0000000001240000-0x0000000001260000-memory.dmp
memory/4380-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-16-0x00000000012F0000-0x0000000001310000-memory.dmp
memory/4380-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-22-0x0000000013980000-0x00000000139A0000-memory.dmp
memory/4380-21-0x0000000013750000-0x0000000013770000-memory.dmp
memory/4380-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4380-23-0x0000000013750000-0x0000000013770000-memory.dmp
memory/4380-24-0x0000000013980000-0x00000000139A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2556 set thread context of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2556 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2556 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2556 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2556 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4024-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-8-0x0000000000C10000-0x0000000000C30000-memory.dmp
memory/4024-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-16-0x0000000000C50000-0x0000000000C70000-memory.dmp
memory/4024-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-20-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4024-22-0x0000000013360000-0x0000000013380000-memory.dmp
memory/4024-21-0x0000000013130000-0x0000000013150000-memory.dmp
memory/4024-24-0x0000000013360000-0x0000000013380000-memory.dmp
memory/4024-23-0x0000000013130000-0x0000000013150000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4180 set thread context of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4180 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4180 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4180 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4180 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4548-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-8-0x0000000001240000-0x0000000001260000-memory.dmp
memory/4548-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-16-0x0000000001270000-0x0000000001290000-memory.dmp
memory/4548-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-22-0x0000000013980000-0x00000000139A0000-memory.dmp
memory/4548-21-0x0000000013750000-0x0000000013770000-memory.dmp
memory/4548-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4548-23-0x0000000013750000-0x0000000013770000-memory.dmp
memory/4548-24-0x0000000013980000-0x00000000139A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20240903-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1732 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1732 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1732 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 1732 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1852-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-8-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/1852-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1852-17-0x0000000001C00000-0x0000000001C20000-memory.dmp
memory/1852-16-0x0000000001B60000-0x0000000001B80000-memory.dmp
memory/1852-19-0x0000000001C00000-0x0000000001C20000-memory.dmp
memory/1852-18-0x0000000001B60000-0x0000000001B80000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3488 set thread context of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3488 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3488 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3488 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3488 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4064-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-8-0x0000000002E10000-0x0000000002E30000-memory.dmp
memory/4064-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-16-0x0000000002FC0000-0x0000000002FE0000-memory.dmp
memory/4064-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-21-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/4064-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4064-22-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
memory/4064-23-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/4064-24-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1809s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4980 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4980 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4980 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4980 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4980 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4980 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/900-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-8-0x0000000000B50000-0x0000000000B70000-memory.dmp
memory/900-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-16-0x0000000000B90000-0x0000000000BB0000-memory.dmp
memory/900-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/900-21-0x0000000002810000-0x0000000002830000-memory.dmp
memory/900-22-0x0000000002830000-0x0000000002850000-memory.dmp
memory/900-23-0x0000000002810000-0x0000000002830000-memory.dmp
memory/900-24-0x0000000002830000-0x0000000002850000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1028 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1028 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1028 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1028 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1028 wrote to memory of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2180-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-8-0x00000000013A0000-0x00000000013C0000-memory.dmp
memory/2180-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-16-0x00000000013D0000-0x00000000013F0000-memory.dmp
memory/2180-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-22-0x00000000139E0000-0x0000000013A00000-memory.dmp
memory/2180-21-0x00000000137B0000-0x00000000137D0000-memory.dmp
memory/2180-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2180-23-0x00000000137B0000-0x00000000137D0000-memory.dmp
memory/2180-24-0x00000000139E0000-0x0000000013A00000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20241010-en
Max time kernel
252s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2580 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2580 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2580 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2580 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2580 wrote to memory of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2780-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2780-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2780-17-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2780-16-0x0000000000110000-0x0000000000130000-memory.dmp
memory/2780-19-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2780-18-0x0000000000110000-0x0000000000130000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win11-20241023-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 720 set thread context of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 720 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 720 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 720 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 720 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 720 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1920-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-8-0x0000000000930000-0x0000000000950000-memory.dmp
memory/1920-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-16-0x0000000000960000-0x0000000000980000-memory.dmp
memory/1920-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1920-21-0x0000000012E40000-0x0000000012E60000-memory.dmp
memory/1920-22-0x0000000013070000-0x0000000013090000-memory.dmp
memory/1920-23-0x0000000012E40000-0x0000000012E60000-memory.dmp
memory/1920-24-0x0000000013070000-0x0000000013090000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20240903-en
Max time kernel
282s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2212 set thread context of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2212 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2212 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2212 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2212 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.65.182:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2432-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2432-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-18-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2432-17-0x0000000000110000-0x0000000000130000-memory.dmp
memory/2432-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2432-21-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2432-20-0x0000000000110000-0x0000000000130000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4528 set thread context of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4528 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4528 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4528 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4528 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 4528 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4876-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-8-0x0000000000AD0000-0x0000000000AF0000-memory.dmp
memory/4876-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-16-0x0000000000B10000-0x0000000000B30000-memory.dmp
memory/4876-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4876-22-0x00000000133F0000-0x0000000013410000-memory.dmp
memory/4876-21-0x00000000131C0000-0x00000000131E0000-memory.dmp
memory/4876-23-0x00000000131C0000-0x00000000131E0000-memory.dmp
memory/4876-24-0x00000000133F0000-0x0000000013410000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1788 set thread context of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1788 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1788 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1788 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1788 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1788 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4636-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-8-0x00000000014A0000-0x00000000014C0000-memory.dmp
memory/4636-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-16-0x00000000014D0000-0x00000000014F0000-memory.dmp
memory/4636-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4636-22-0x00000000139A0000-0x00000000139C0000-memory.dmp
memory/4636-21-0x0000000013BD0000-0x0000000013BF0000-memory.dmp
memory/4636-23-0x0000000013BD0000-0x0000000013BF0000-memory.dmp
memory/4636-24-0x00000000139A0000-0x00000000139C0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 112 set thread context of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 112 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 112 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 112 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 112 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 112 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/400-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-8-0x0000000001250000-0x0000000001270000-memory.dmp
memory/400-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-16-0x0000000001280000-0x00000000012A0000-memory.dmp
memory/400-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/400-22-0x0000000013BB0000-0x0000000013BD0000-memory.dmp
memory/400-21-0x0000000013980000-0x00000000139A0000-memory.dmp
memory/400-24-0x0000000013BB0000-0x0000000013BD0000-memory.dmp
memory/400-23-0x0000000013980000-0x00000000139A0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3776 set thread context of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3776 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3776 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3776 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3776 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 3776 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.23.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/5088-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-8-0x0000000001240000-0x0000000001260000-memory.dmp
memory/5088-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-16-0x0000000001540000-0x0000000001560000-memory.dmp
memory/5088-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5088-22-0x0000000013C30000-0x0000000013C50000-memory.dmp
memory/5088-21-0x0000000013C50000-0x0000000013C70000-memory.dmp
memory/5088-23-0x0000000013C50000-0x0000000013C70000-memory.dmp
memory/5088-24-0x0000000013C30000-0x0000000013C50000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5796 set thread context of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5796 wrote to memory of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 5796 wrote to memory of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 5796 wrote to memory of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 5796 wrote to memory of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 5796 wrote to memory of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3772-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-8-0x00000000010C0000-0x00000000010E0000-memory.dmp
memory/3772-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-16-0x00000000010E0000-0x0000000001100000-memory.dmp
memory/3772-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-22-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
memory/3772-21-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/3772-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3772-23-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/3772-24-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1844 set thread context of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1844 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1844 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1844 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1844 wrote to memory of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1564-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-8-0x0000000000AB0000-0x0000000000AD0000-memory.dmp
memory/1564-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-16-0x0000000000AE0000-0x0000000000B00000-memory.dmp
memory/1564-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-22-0x0000000013200000-0x0000000013220000-memory.dmp
memory/1564-21-0x0000000002480000-0x00000000024A0000-memory.dmp
memory/1564-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1564-24-0x0000000013200000-0x0000000013220000-memory.dmp
memory/1564-23-0x0000000002480000-0x00000000024A0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20241010-en
Max time kernel
1799s
Max time network
1797s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1824 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1824 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1824 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1824 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1824 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1824 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2892-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-8-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2892-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-16-0x0000000000340000-0x0000000000360000-memory.dmp
memory/2892-17-0x0000000000360000-0x0000000000380000-memory.dmp
memory/2892-18-0x0000000000340000-0x0000000000360000-memory.dmp
memory/2892-19-0x0000000000360000-0x0000000000380000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1798s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 232 set thread context of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 232 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 232 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2132-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-8-0x0000000001390000-0x00000000013B0000-memory.dmp
memory/2132-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-16-0x0000000003080000-0x00000000030A0000-memory.dmp
memory/2132-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2132-22-0x0000000013CD0000-0x0000000013CF0000-memory.dmp
memory/2132-21-0x0000000013AA0000-0x0000000013AC0000-memory.dmp
memory/2132-24-0x0000000013CD0000-0x0000000013CF0000-memory.dmp
memory/2132-23-0x0000000013AA0000-0x0000000013AC0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 796 set thread context of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 796 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 196 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/196-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-8-0x00000000007E0000-0x0000000000800000-memory.dmp
memory/196-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-16-0x0000000000A90000-0x0000000000AB0000-memory.dmp
memory/196-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/196-22-0x00000000133B0000-0x00000000133D0000-memory.dmp
memory/196-21-0x0000000000D70000-0x0000000000D90000-memory.dmp
memory/196-23-0x0000000000D70000-0x0000000000D90000-memory.dmp
memory/196-24-0x00000000133B0000-0x00000000133D0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20240903-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2708 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2708 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2708 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2708 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2708 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2708 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2684-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2684-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2684-16-0x0000000002390000-0x00000000023B0000-memory.dmp
memory/2684-17-0x00000000023B0000-0x00000000023D0000-memory.dmp
memory/2684-18-0x0000000002390000-0x00000000023B0000-memory.dmp
memory/2684-19-0x00000000023B0000-0x00000000023D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4888 set thread context of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4888 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4888 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4888 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4888 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2244-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-8-0x0000000002DC0000-0x0000000002DE0000-memory.dmp
memory/2244-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-16-0x0000000002F60000-0x0000000002F80000-memory.dmp
memory/2244-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2244-21-0x0000000013A10000-0x0000000013A30000-memory.dmp
memory/2244-22-0x0000000013C40000-0x0000000013C60000-memory.dmp
memory/2244-23-0x0000000013A10000-0x0000000013A30000-memory.dmp
memory/2244-24-0x0000000013C40000-0x0000000013C60000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4812 set thread context of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4812 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4812 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4812 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4812 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 114.137.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4692-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-8-0x0000000000F90000-0x0000000000FB0000-memory.dmp
memory/4692-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-16-0x0000000000FD0000-0x0000000000FF0000-memory.dmp
memory/4692-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-20-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4692-21-0x00000000136B0000-0x00000000136D0000-memory.dmp
memory/4692-22-0x00000000138E0000-0x0000000013900000-memory.dmp
memory/4692-23-0x00000000136B0000-0x00000000136D0000-memory.dmp
memory/4692-24-0x00000000138E0000-0x0000000013900000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-16 18:06
Reported
2024-11-16 18:37
Platform
win7-20241010-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2736 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2736 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2736 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2736 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2736 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | tcp | |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2340-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-8-0x0000000000140000-0x0000000000160000-memory.dmp
memory/2340-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-17-0x00000000001E0000-0x0000000000200000-memory.dmp
memory/2340-18-0x0000000000200000-0x0000000000220000-memory.dmp
memory/2340-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2340-20-0x00000000001E0000-0x0000000000200000-memory.dmp
memory/2340-21-0x0000000000200000-0x0000000000220000-memory.dmp