Analysis Overview
SHA256
75a6f01054a1c34616c534614aa6167bc125b80442f619204a49bcd33a569eac
Threat Level: Known bad
The file miner 2.5555.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 13:01
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240508-en
Max time kernel
954s
Max time network
1046s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 4768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 5068 wrote to memory of 4768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4016,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
Files
memory/4768-0-0x000001C583F50000-0x000001C583F70000-memory.dmp
memory/4768-1-0x000001C585870000-0x000001C585890000-memory.dmp
memory/4768-2-0x000001C585890000-0x000001C5858B0000-memory.dmp
memory/4768-3-0x000001C5858B0000-0x000001C5858D0000-memory.dmp
memory/4768-4-0x000001C585890000-0x000001C5858B0000-memory.dmp
memory/4768-5-0x000001C5858B0000-0x000001C5858D0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win11-20240426-en
Max time kernel
447s
Max time network
1042s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2528 wrote to memory of 3920 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2528 wrote to memory of 3920 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
memory/3920-0-0x000002CE6DA40000-0x000002CE6DA60000-memory.dmp
memory/3920-1-0x000002CE6DB90000-0x000002CE6DBB0000-memory.dmp
memory/3920-3-0x000002CE6DBD0000-0x000002CE6DBF0000-memory.dmp
memory/3920-2-0x000002CE6DBB0000-0x000002CE6DBD0000-memory.dmp
memory/3920-5-0x000002CE6DBD0000-0x000002CE6DBF0000-memory.dmp
memory/3920-4-0x000002CE6DBB0000-0x000002CE6DBD0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10-20240404-en
Max time kernel
615s
Max time network
1050s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4944 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/772-0-0x000001EDB5160000-0x000001EDB5180000-memory.dmp
memory/772-1-0x000001EDB52C0000-0x000001EDB5300000-memory.dmp
memory/772-2-0x000001EE47760000-0x000001EE47780000-memory.dmp
memory/772-3-0x000001EE47990000-0x000001EE479B0000-memory.dmp
memory/772-5-0x000001EE47990000-0x000001EE479B0000-memory.dmp
memory/772-4-0x000001EE47760000-0x000001EE47780000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240508-en
Max time kernel
1035s
Max time network
1044s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 4436 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1496 wrote to memory of 4436 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4436-0-0x0000021894D80000-0x0000021894DA0000-memory.dmp
memory/4436-1-0x0000021896780000-0x00000218967A0000-memory.dmp
memory/4436-3-0x00000218967C0000-0x00000218967E0000-memory.dmp
memory/4436-2-0x00000218967A0000-0x00000218967C0000-memory.dmp
memory/4436-5-0x00000218967C0000-0x00000218967E0000-memory.dmp
memory/4436-4-0x00000218967A0000-0x00000218967C0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win7-20240508-en
Max time kernel
840s
Max time network
1042s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2548 wrote to memory of 2056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2548 wrote to memory of 2056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2056-0-0x0000000000100000-0x0000000000120000-memory.dmp
memory/2056-2-0x00000000005D0000-0x00000000005F0000-memory.dmp
memory/2056-1-0x00000000005B0000-0x00000000005D0000-memory.dmp
memory/2056-4-0x00000000005D0000-0x00000000005F0000-memory.dmp
memory/2056-3-0x00000000005B0000-0x00000000005D0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win7-20240508-en
Max time kernel
837s
Max time network
1048s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 1964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2416 wrote to memory of 1964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2416 wrote to memory of 1964 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1964-0-0x00000000000F0000-0x0000000000110000-memory.dmp
memory/1964-2-0x0000000002180000-0x00000000021A0000-memory.dmp
memory/1964-1-0x0000000002160000-0x0000000002180000-memory.dmp
memory/1964-4-0x0000000002180000-0x00000000021A0000-memory.dmp
memory/1964-3-0x0000000002160000-0x0000000002180000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win11-20240508-en
Max time kernel
750s
Max time network
1047s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 3724 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2384 wrote to memory of 3724 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/3724-0-0x00000263FF890000-0x00000263FF8B0000-memory.dmp
memory/3724-1-0x00000263FF9E0000-0x00000263FFA00000-memory.dmp
memory/3724-3-0x00000263FFA40000-0x00000263FFA60000-memory.dmp
memory/3724-2-0x00000263FFA20000-0x00000263FFA40000-memory.dmp
memory/3724-5-0x00000263FFA40000-0x00000263FFA60000-memory.dmp
memory/3724-4-0x00000263FFA20000-0x00000263FFA40000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10-20240404-en
Max time kernel
616s
Max time network
1045s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 3608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4904 wrote to memory of 3608 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/3608-0-0x00000281D09D0000-0x00000281D09F0000-memory.dmp
memory/3608-1-0x00000281D2410000-0x00000281D2430000-memory.dmp
memory/3608-3-0x00000281D2470000-0x00000281D2490000-memory.dmp
memory/3608-2-0x00000281D2450000-0x00000281D2470000-memory.dmp
memory/3608-4-0x00000281D2450000-0x00000281D2470000-memory.dmp
memory/3608-5-0x00000281D2470000-0x00000281D2490000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win7-20240508-en
Max time kernel
844s
Max time network
1049s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2960 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2180 wrote to memory of 2960 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2180 wrote to memory of 2960 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2960-0-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2960-2-0x0000000000500000-0x0000000000520000-memory.dmp
memory/2960-1-0x00000000004E0000-0x0000000000500000-memory.dmp
memory/2960-4-0x0000000000500000-0x0000000000520000-memory.dmp
memory/2960-3-0x00000000004E0000-0x0000000000500000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win11-20240508-en
Max time kernel
750s
Max time network
1052s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 412 wrote to memory of 4440 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 412 wrote to memory of 4440 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
memory/4440-0-0x000001E39E6A0000-0x000001E39E6C0000-memory.dmp
memory/4440-1-0x000001E4321E0000-0x000001E432200000-memory.dmp
memory/4440-3-0x000001E432850000-0x000001E432870000-memory.dmp
memory/4440-2-0x000001E432620000-0x000001E432640000-memory.dmp
memory/4440-4-0x000001E432620000-0x000001E432640000-memory.dmp
memory/4440-5-0x000001E432850000-0x000001E432870000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10-20240404-en
Max time kernel
316s
Max time network
1038s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 3352 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2272 wrote to memory of 3352 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3352-0-0x000001BABD900000-0x000001BABD920000-memory.dmp
memory/3352-1-0x000001BABD940000-0x000001BABD960000-memory.dmp
memory/3352-2-0x000001BABD960000-0x000001BABD980000-memory.dmp
memory/3352-3-0x000001BABD980000-0x000001BABD9A0000-memory.dmp
memory/3352-5-0x000001BABD980000-0x000001BABD9A0000-memory.dmp
memory/3352-4-0x000001BABD960000-0x000001BABD980000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240226-en
Max time kernel
953s
Max time network
1056s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4820 wrote to memory of 2036 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4820 wrote to memory of 2036 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/2036-0-0x00000171EFA40000-0x00000171EFA60000-memory.dmp
memory/2036-1-0x0000017281BF0000-0x0000017281C10000-memory.dmp
memory/2036-3-0x0000017282270000-0x0000017282290000-memory.dmp
memory/2036-2-0x0000017282030000-0x0000017282050000-memory.dmp
memory/2036-5-0x0000017282270000-0x0000017282290000-memory.dmp
memory/2036-4-0x0000017282030000-0x0000017282050000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10-20240404-en
Max time kernel
316s
Max time network
1043s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 600 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 600 wrote to memory of 4116 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4116-0-0x000001A53EEF0000-0x000001A53EF10000-memory.dmp
memory/4116-1-0x000001A53EF40000-0x000001A53EF60000-memory.dmp
memory/4116-3-0x000001A540940000-0x000001A540960000-memory.dmp
memory/4116-2-0x000001A540920000-0x000001A540940000-memory.dmp
memory/4116-5-0x000001A540940000-0x000001A540960000-memory.dmp
memory/4116-4-0x000001A540920000-0x000001A540940000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240426-en
Max time kernel
456s
Max time network
1040s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 3260 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4500 wrote to memory of 3260 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/3260-0-0x000001A4B7270000-0x000001A4B7290000-memory.dmp
memory/3260-1-0x000001A4B72C0000-0x000001A4B72E0000-memory.dmp
memory/3260-2-0x000001A4B72E0000-0x000001A4B7300000-memory.dmp
memory/3260-3-0x000001A4B7300000-0x000001A4B7320000-memory.dmp
memory/3260-4-0x000001A4B72E0000-0x000001A4B7300000-memory.dmp
memory/3260-5-0x000001A4B7300000-0x000001A4B7320000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win11-20240426-en
Max time kernel
453s
Max time network
1047s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4620 wrote to memory of 4396 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4620 wrote to memory of 4396 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/4396-0-0x0000023706D20000-0x0000023706D40000-memory.dmp
memory/4396-1-0x00000237086E0000-0x0000023708700000-memory.dmp
memory/4396-2-0x0000023708700000-0x0000023708720000-memory.dmp
memory/4396-3-0x0000023708720000-0x0000023708740000-memory.dmp
memory/4396-5-0x0000023708720000-0x0000023708740000-memory.dmp
memory/4396-4-0x0000023708700000-0x0000023708720000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240508-en
Max time kernel
450s
Max time network
1041s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4308 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4308 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/2836-0-0x000001897B450000-0x000001897B470000-memory.dmp
memory/2836-1-0x000001897CE90000-0x000001897CEB0000-memory.dmp
memory/2836-3-0x000001897CED0000-0x000001897CEF0000-memory.dmp
memory/2836-2-0x000001897CEB0000-0x000001897CED0000-memory.dmp
memory/2836-5-0x000001897CED0000-0x000001897CEF0000-memory.dmp
memory/2836-4-0x000001897CEB0000-0x000001897CED0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1051s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4684 wrote to memory of 308 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4684 wrote to memory of 308 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/308-0-0x000001F0FC820000-0x000001F0FC840000-memory.dmp
memory/308-1-0x000001F0FC870000-0x000001F0FC890000-memory.dmp
memory/308-2-0x000001F0FC890000-0x000001F0FC8B0000-memory.dmp
memory/308-3-0x000001F0FC8B0000-0x000001F0FC8D0000-memory.dmp
memory/308-5-0x000001F0FC8B0000-0x000001F0FC8D0000-memory.dmp
memory/308-4-0x000001F0FC890000-0x000001F0FC8B0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win7-20240508-en
Max time kernel
839s
Max time network
1044s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 492 wrote to memory of 1532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 492 wrote to memory of 1532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 492 wrote to memory of 1532 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1532-0-0x0000000000270000-0x0000000000290000-memory.dmp
memory/1532-2-0x00000000024D0000-0x00000000024F0000-memory.dmp
memory/1532-1-0x00000000024B0000-0x00000000024D0000-memory.dmp
memory/1532-4-0x00000000024D0000-0x00000000024F0000-memory.dmp
memory/1532-3-0x00000000024B0000-0x00000000024D0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win7-20240221-en
Max time kernel
840s
Max time network
1048s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1888 wrote to memory of 2840 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1888 wrote to memory of 2840 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1888 wrote to memory of 2840 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2840-0-0x00000000000F0000-0x0000000000110000-memory.dmp
memory/2840-2-0x0000000000410000-0x0000000000430000-memory.dmp
memory/2840-1-0x00000000001E0000-0x0000000000200000-memory.dmp
memory/2840-4-0x0000000000410000-0x0000000000430000-memory.dmp
memory/2840-3-0x00000000001E0000-0x0000000000200000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-25 13:01
Reported
2024-05-25 13:19
Platform
win10v2004-20240508-en
Max time kernel
866s
Max time network
1048s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 864 wrote to memory of 4504 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 864 wrote to memory of 4504 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.5555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/4504-0-0x000001C9F5C30000-0x000001C9F5C50000-memory.dmp
memory/4504-1-0x000001C9F7740000-0x000001C9F7760000-memory.dmp
memory/4504-3-0x000001C9F7780000-0x000001C9F77A0000-memory.dmp
memory/4504-2-0x000001C9F7760000-0x000001C9F7780000-memory.dmp
memory/4504-5-0x000001C9F7780000-0x000001C9F77A0000-memory.dmp
memory/4504-4-0x000001C9F7760000-0x000001C9F7780000-memory.dmp