Malware Analysis Report

2025-01-06 15:12

Sample ID 240525-qeptjaea92
Target miner 2.55555.rar
SHA256 f5bd0ebcfc01b3431f67795b918ea0220ec4204530a959b2c161afecf61b74aa
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5bd0ebcfc01b3431f67795b918ea0220ec4204530a959b2c161afecf61b74aa

Threat Level: Known bad

The file miner 2.55555.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 13:10

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

450s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3168-0-0x0000017F4ECA0000-0x0000017F4ECC0000-memory.dmp

memory/3168-1-0x0000017F4ECF0000-0x0000017F4ED10000-memory.dmp

memory/3168-2-0x0000017F4ED10000-0x0000017F4ED30000-memory.dmp

memory/3168-3-0x0000017F4ED30000-0x0000017F4ED50000-memory.dmp

memory/3168-5-0x0000017F4ED30000-0x0000017F4ED50000-memory.dmp

memory/3168-4-0x0000017F4ED10000-0x0000017F4ED30000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

447s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/1752-0-0x0000024D1E210000-0x0000024D1E230000-memory.dmp

memory/1752-1-0x0000024D1E260000-0x0000024D1E280000-memory.dmp

memory/1752-3-0x0000024D1E280000-0x0000024D1E2A0000-memory.dmp

memory/1752-2-0x0000024D1E2A0000-0x0000024D1E2C0000-memory.dmp

memory/1752-5-0x0000024D1E280000-0x0000024D1E2A0000-memory.dmp

memory/1752-4-0x0000024D1E2A0000-0x0000024D1E2C0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240220-en

Max time kernel

839s

Max time network

1048s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2968-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2968-2-0x00000000008D0000-0x00000000008F0000-memory.dmp

memory/2968-1-0x00000000008B0000-0x00000000008D0000-memory.dmp

memory/2968-4-0x00000000008D0000-0x00000000008F0000-memory.dmp

memory/2968-3-0x00000000008B0000-0x00000000008D0000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

864s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2320-0-0x0000015884160000-0x0000015884180000-memory.dmp

memory/2320-1-0x0000015885B60000-0x0000015885B80000-memory.dmp

memory/2320-3-0x0000015885BA0000-0x0000015885BC0000-memory.dmp

memory/2320-2-0x0000015885B80000-0x0000015885BA0000-memory.dmp

memory/2320-5-0x0000015885BA0000-0x0000015885BC0000-memory.dmp

memory/2320-4-0x0000015885B80000-0x0000015885BA0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

448s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3308-0-0x00000223DB1E0000-0x00000223DB200000-memory.dmp

memory/3308-1-0x00000223DCBE0000-0x00000223DCC00000-memory.dmp

memory/3308-2-0x00000223DCC00000-0x00000223DCC20000-memory.dmp

memory/3308-3-0x00000223DCC20000-0x00000223DCC40000-memory.dmp

memory/3308-5-0x00000223DCC20000-0x00000223DCC40000-memory.dmp

memory/3308-4-0x00000223DCC00000-0x00000223DCC20000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240508-en

Max time kernel

839s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1648-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/1648-2-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/1648-1-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/1648-4-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/1648-3-0x00000000003D0000-0x00000000003F0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

448s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/2256-0-0x0000023387A50000-0x0000023387A70000-memory.dmp

memory/2256-1-0x0000023387A90000-0x0000023387AB0000-memory.dmp

memory/2256-2-0x0000023387AB0000-0x0000023387AD0000-memory.dmp

memory/2256-3-0x0000023387AD0000-0x0000023387AF0000-memory.dmp

memory/2256-4-0x0000023387AB0000-0x0000023387AD0000-memory.dmp

memory/2256-5-0x0000023387AD0000-0x0000023387AF0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

442s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4756-0-0x0000022CA1300000-0x0000022CA1320000-memory.dmp

memory/4756-1-0x0000022CA1330000-0x0000022CA1350000-memory.dmp

memory/4756-2-0x0000022D33AE0000-0x0000022D33B00000-memory.dmp

memory/4756-3-0x0000022CA1350000-0x0000022CA1370000-memory.dmp

memory/4756-5-0x0000022CA1350000-0x0000022CA1370000-memory.dmp

memory/4756-4-0x0000022D33AE0000-0x0000022D33B00000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

439s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/5048-0-0x000001AFB4D80000-0x000001AFB4DA0000-memory.dmp

memory/5048-1-0x000001AFB4ED0000-0x000001AFB4EF0000-memory.dmp

memory/5048-2-0x000001AFB4F10000-0x000001AFB4F30000-memory.dmp

memory/5048-3-0x000001B047590000-0x000001B0475B0000-memory.dmp

memory/5048-4-0x000001AFB4F10000-0x000001AFB4F30000-memory.dmp

memory/5048-5-0x000001B047590000-0x000001B0475B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20231129-en

Max time kernel

841s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2740-0-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2740-2-0x0000000000500000-0x0000000000520000-memory.dmp

memory/2740-1-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/2740-4-0x0000000000500000-0x0000000000520000-memory.dmp

memory/2740-3-0x00000000004E0000-0x0000000000500000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240221-en

Max time kernel

840s

Max time network

1048s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1888-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1888-1-0x0000000000490000-0x00000000004B0000-memory.dmp

memory/1888-2-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/1888-4-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/1888-3-0x0000000000490000-0x00000000004B0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

446s

Max time network

1048s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/2324-0-0x0000019002070000-0x0000019002090000-memory.dmp

memory/2324-1-0x00000190020C0000-0x00000190020E0000-memory.dmp

memory/2324-2-0x00000190020E0000-0x0000019002100000-memory.dmp

memory/2324-3-0x0000019002100000-0x0000019002120000-memory.dmp

memory/2324-4-0x00000190020E0000-0x0000019002100000-memory.dmp

memory/2324-5-0x0000019002100000-0x0000019002120000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240220-en

Max time kernel

840s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1228-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1228-2-0x0000000000700000-0x0000000000720000-memory.dmp

memory/1228-1-0x00000000006E0000-0x0000000000700000-memory.dmp

memory/1228-4-0x0000000000700000-0x0000000000720000-memory.dmp

memory/1228-3-0x00000000006E0000-0x0000000000700000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240215-en

Max time kernel

839s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2280-0-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2280-2-0x0000000002060000-0x0000000002080000-memory.dmp

memory/2280-1-0x0000000002040000-0x0000000002060000-memory.dmp

memory/2280-4-0x0000000002060000-0x0000000002080000-memory.dmp

memory/2280-3-0x0000000002040000-0x0000000002060000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

791s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/2748-0-0x000001E0C0900000-0x000001E0C0920000-memory.dmp

memory/2748-1-0x000001E152AD0000-0x000001E152AF0000-memory.dmp

memory/2748-2-0x000001E152F10000-0x000001E152F30000-memory.dmp

memory/2748-3-0x000001E153140000-0x000001E153160000-memory.dmp

memory/2748-4-0x000001E152F10000-0x000001E152F30000-memory.dmp

memory/2748-5-0x000001E153140000-0x000001E153160000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240508-en

Max time kernel

838s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1972-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1972-2-0x0000000000690000-0x00000000006B0000-memory.dmp

memory/1972-1-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1972-4-0x0000000000690000-0x00000000006B0000-memory.dmp

memory/1972-3-0x00000000003C0000-0x00000000003E0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240508-en

Max time kernel

842s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2380-0-0x0000000000200000-0x0000000000220000-memory.dmp

memory/2380-2-0x0000000002140000-0x0000000002160000-memory.dmp

memory/2380-1-0x0000000002120000-0x0000000002140000-memory.dmp

memory/2380-4-0x0000000002140000-0x0000000002160000-memory.dmp

memory/2380-3-0x0000000002120000-0x0000000002140000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20231129-en

Max time kernel

837s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2196-0-0x0000000000300000-0x0000000000320000-memory.dmp

memory/2196-2-0x00000000021D0000-0x00000000021F0000-memory.dmp

memory/2196-1-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/2196-4-0x00000000021D0000-0x00000000021F0000-memory.dmp

memory/2196-3-0x0000000000580000-0x00000000005A0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

448s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/1776-0-0x000002A2FB930000-0x000002A2FB950000-memory.dmp

memory/1776-1-0x000002A38DAA0000-0x000002A38DAC0000-memory.dmp

memory/1776-2-0x000002A38DEE0000-0x000002A38DF00000-memory.dmp

memory/1776-3-0x000002A38E110000-0x000002A38E130000-memory.dmp

memory/1776-4-0x000002A38DEE0000-0x000002A38DF00000-memory.dmp

memory/1776-5-0x000002A38E110000-0x000002A38E130000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240220-en

Max time kernel

837s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2712-0-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2712-2-0x00000000005D0000-0x00000000005F0000-memory.dmp

memory/2712-1-0x00000000005B0000-0x00000000005D0000-memory.dmp

memory/2712-4-0x00000000005D0000-0x00000000005F0000-memory.dmp

memory/2712-3-0x00000000005B0000-0x00000000005D0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

453s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/2052-0-0x0000027D84F00000-0x0000027D84F20000-memory.dmp

memory/2052-1-0x0000027D86950000-0x0000027D86970000-memory.dmp

memory/2052-3-0x0000027E19010000-0x0000027E19030000-memory.dmp

memory/2052-2-0x0000027E18DE0000-0x0000027E18E00000-memory.dmp

memory/2052-4-0x0000027E18DE0000-0x0000027E18E00000-memory.dmp

memory/2052-5-0x0000027E19010000-0x0000027E19030000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240221-en

Max time kernel

842s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/308-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/308-2-0x00000000024B0000-0x00000000024D0000-memory.dmp

memory/308-1-0x00000000006B0000-0x00000000006D0000-memory.dmp

memory/308-4-0x00000000024B0000-0x00000000024D0000-memory.dmp

memory/308-3-0x00000000006B0000-0x00000000006D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

455s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3552-0-0x000001F312900000-0x000001F312920000-memory.dmp

memory/3552-1-0x000001F312960000-0x000001F312980000-memory.dmp

memory/3552-2-0x000001F3A4EF0000-0x000001F3A4F10000-memory.dmp

memory/3552-3-0x000001F3A5120000-0x000001F3A5140000-memory.dmp

memory/3552-4-0x000001F3A4EF0000-0x000001F3A4F10000-memory.dmp

memory/3552-5-0x000001F3A5120000-0x000001F3A5140000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240221-en

Max time kernel

839s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1908-2-0x0000000000410000-0x0000000000430000-memory.dmp

memory/1908-1-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/1908-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/1908-4-0x0000000000410000-0x0000000000430000-memory.dmp

memory/1908-3-0x00000000003F0000-0x0000000000410000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20231129-en

Max time kernel

840s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1028-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1028-2-0x0000000002560000-0x0000000002580000-memory.dmp

memory/1028-1-0x00000000021E0000-0x0000000002200000-memory.dmp

memory/1028-3-0x00000000021E0000-0x0000000002200000-memory.dmp

memory/1028-4-0x0000000002560000-0x0000000002580000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240508-en

Max time kernel

842s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2344-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2344-2-0x0000000000590000-0x00000000005B0000-memory.dmp

memory/2344-1-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/2344-4-0x0000000000590000-0x00000000005B0000-memory.dmp

memory/2344-3-0x00000000004E0000-0x0000000000500000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240426-en

Max time kernel

448s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/2856-0-0x0000024E4C160000-0x0000024E4C180000-memory.dmp

memory/2856-1-0x0000024E4C1C0000-0x0000024E4C1E0000-memory.dmp

memory/2856-3-0x0000024EDE970000-0x0000024EDE990000-memory.dmp

memory/2856-2-0x0000024EDE740000-0x0000024EDE760000-memory.dmp

memory/2856-4-0x0000024EDE740000-0x0000024EDE760000-memory.dmp

memory/2856-5-0x0000024EDE970000-0x0000024EDE990000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

447s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3128-0-0x0000013A1FAB0000-0x0000013A1FAD0000-memory.dmp

memory/3128-1-0x00007FF9C3C80000-0x00007FF9C3F49000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

450s

Max time network

1048s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3108-0-0x000001A2569D0000-0x000001A2569F0000-memory.dmp

memory/3108-1-0x000001A256A20000-0x000001A256A40000-memory.dmp

memory/3108-3-0x000001A256A80000-0x000001A256AA0000-memory.dmp

memory/3108-2-0x000001A256A60000-0x000001A256A80000-memory.dmp

memory/3108-5-0x000001A256A80000-0x000001A256AA0000-memory.dmp

memory/3108-4-0x000001A256A60000-0x000001A256A80000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240508-en

Max time kernel

840s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1828-0-0x0000000000190000-0x00000000001B0000-memory.dmp

memory/1828-2-0x0000000000510000-0x0000000000530000-memory.dmp

memory/1828-1-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/1828-4-0x0000000000510000-0x0000000000530000-memory.dmp

memory/1828-3-0x00000000004F0000-0x0000000000510000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win7-20240419-en

Max time kernel

838s

Max time network

1047s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2116-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2116-2-0x0000000002090000-0x00000000020B0000-memory.dmp

memory/2116-1-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/2116-4-0x0000000002090000-0x00000000020B0000-memory.dmp

memory/2116-3-0x00000000004F0000-0x0000000000510000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-25 13:10

Reported

2024-05-25 13:28

Platform

win10v2004-20240508-en

Max time kernel

954s

Max time network

1047s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1048-0-0x0000023766CD0000-0x0000023766CF0000-memory.dmp

memory/1048-1-0x0000023766E10000-0x0000023766E30000-memory.dmp

memory/1048-2-0x0000023766E30000-0x0000023766E50000-memory.dmp

memory/1048-3-0x0000023766E70000-0x0000023766E90000-memory.dmp

memory/1048-4-0x0000023766E30000-0x0000023766E50000-memory.dmp

memory/1048-5-0x0000023766E70000-0x0000023766E90000-memory.dmp