Analysis Overview
SHA256
f5bd0ebcfc01b3431f67795b918ea0220ec4204530a959b2c161afecf61b74aa
Threat Level: Known bad
The file miner 2.55555.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-25 13:27
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240508-en
Max time kernel
839s
Max time network
1190s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2392 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2392 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2668-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2668-2-0x0000000000500000-0x0000000000520000-memory.dmp
memory/2668-1-0x00000000004D0000-0x00000000004F0000-memory.dmp
memory/2668-4-0x0000000000500000-0x0000000000520000-memory.dmp
memory/2668-3-0x00000000004D0000-0x00000000004F0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:49
Platform
win10v2004-20240226-en
Max time kernel
1192s
Max time network
1207s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 1780 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 824 wrote to memory of 1780 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
Files
memory/1780-0-0x0000028F5D790000-0x0000028F5D7B0000-memory.dmp
memory/1780-1-0x0000028F5D7E0000-0x0000028F5D800000-memory.dmp
memory/1780-2-0x0000028F5D800000-0x0000028F5D820000-memory.dmp
memory/1780-3-0x0000028F5D820000-0x0000028F5D840000-memory.dmp
memory/1780-4-0x0000028F5D800000-0x0000028F5D820000-memory.dmp
memory/1780-5-0x0000028F5D820000-0x0000028F5D840000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:35
Platform
win7-20240220-en
Max time kernel
119s
Max time network
298s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1112 wrote to memory of 1692 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1112 wrote to memory of 1692 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1112 wrote to memory of 1692 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1692-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1692-2-0x00000000003E0000-0x0000000000400000-memory.dmp
memory/1692-1-0x00000000003C0000-0x00000000003E0000-memory.dmp
memory/1692-4-0x00000000003E0000-0x0000000000400000-memory.dmp
memory/1692-3-0x00000000003C0000-0x00000000003E0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240508-en
Max time kernel
886s
Max time network
1202s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4696 wrote to memory of 2120 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4696 wrote to memory of 2120 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/2120-0-0x0000025330A40000-0x0000025330A60000-memory.dmp
memory/2120-1-0x0000025330A80000-0x0000025330AA0000-memory.dmp
memory/2120-3-0x0000025330AD0000-0x0000025330AF0000-memory.dmp
memory/2120-2-0x0000025330AB0000-0x0000025330AD0000-memory.dmp
memory/2120-4-0x0000025330AB0000-0x0000025330AD0000-memory.dmp
memory/2120-5-0x0000025330AD0000-0x0000025330AF0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:33
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
291s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1436 wrote to memory of 2476 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1436 wrote to memory of 2476 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/2476-0-0x000001F3366B0000-0x000001F3366D0000-memory.dmp
memory/2476-1-0x000001F337FE0000-0x000001F338000000-memory.dmp
memory/2476-3-0x000001F338020000-0x000001F338040000-memory.dmp
memory/2476-2-0x000001F338000000-0x000001F338020000-memory.dmp
memory/2476-4-0x000001F338000000-0x000001F338020000-memory.dmp
memory/2476-5-0x000001F338020000-0x000001F338040000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240508-en
Max time kernel
450s
Max time network
1190s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 4800 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1336 wrote to memory of 4800 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/4800-0-0x00000242891F0000-0x0000024289210000-memory.dmp
memory/4800-1-0x0000024289350000-0x0000024289370000-memory.dmp
memory/4800-2-0x0000024289370000-0x0000024289390000-memory.dmp
memory/4800-3-0x0000024289390000-0x00000242893B0000-memory.dmp
memory/4800-4-0x0000024289370000-0x0000024289390000-memory.dmp
memory/4800-5-0x0000024289390000-0x00000242893B0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:49
Platform
win7-20240220-en
Max time kernel
844s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 1796 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2072 wrote to memory of 1796 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2072 wrote to memory of 1796 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1796-0-0x0000000000300000-0x0000000000320000-memory.dmp
memory/1796-2-0x0000000002520000-0x0000000002540000-memory.dmp
memory/1796-1-0x0000000002500000-0x0000000002520000-memory.dmp
memory/1796-4-0x0000000002520000-0x0000000002540000-memory.dmp
memory/1796-3-0x0000000002500000-0x0000000002520000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20231129-en
Max time kernel
845s
Max time network
1208s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 1580 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2360 wrote to memory of 1580 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2360 wrote to memory of 1580 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1580-0-0x00000000002F0000-0x0000000000310000-memory.dmp
memory/1580-1-0x00000000004C0000-0x00000000004E0000-memory.dmp
memory/1580-2-0x00000000004E0000-0x0000000000500000-memory.dmp
memory/1580-3-0x00000000004C0000-0x00000000004E0000-memory.dmp
memory/1580-4-0x00000000004E0000-0x0000000000500000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240221-en
Max time kernel
839s
Max time network
1201s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1368 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1368 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2684-0-0x00000000002F0000-0x0000000000310000-memory.dmp
memory/2684-2-0x00000000005E0000-0x0000000000600000-memory.dmp
memory/2684-1-0x00000000005C0000-0x00000000005E0000-memory.dmp
memory/2684-4-0x00000000005E0000-0x0000000000600000-memory.dmp
memory/2684-3-0x00000000005C0000-0x00000000005E0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240508-en
Max time kernel
1194s
Max time network
1206s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 3692 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1724 wrote to memory of 3692 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4132,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
memory/3692-0-0x000002590A390000-0x000002590A3B0000-memory.dmp
memory/3692-1-0x000002590A3E0000-0x000002590A400000-memory.dmp
memory/3692-3-0x000002590A420000-0x000002590A440000-memory.dmp
memory/3692-2-0x000002590A400000-0x000002590A420000-memory.dmp
memory/3692-5-0x000002590A420000-0x000002590A440000-memory.dmp
memory/3692-4-0x000002590A400000-0x000002590A420000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
450s
Max time network
1204s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 712 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1284 wrote to memory of 712 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/712-0-0x000001B887C50000-0x000001B887C70000-memory.dmp
memory/712-1-0x000001B887CF0000-0x000001B887D10000-memory.dmp
memory/712-2-0x000001B887D10000-0x000001B887D30000-memory.dmp
memory/712-3-0x000001B887D30000-0x000001B887D50000-memory.dmp
memory/712-4-0x000001B887D10000-0x000001B887D30000-memory.dmp
memory/712-5-0x000001B887D30000-0x000001B887D50000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20231129-en
Max time kernel
843s
Max time network
1192s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2004 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2004 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2044-0-0x00000000000F0000-0x0000000000110000-memory.dmp
memory/2044-2-0x00000000006B0000-0x00000000006D0000-memory.dmp
memory/2044-1-0x0000000000690000-0x00000000006B0000-memory.dmp
memory/2044-4-0x00000000006B0000-0x00000000006D0000-memory.dmp
memory/2044-3-0x0000000000690000-0x00000000006B0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:35
Platform
win7-20240220-en
Max time kernel
122s
Max time network
297s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 1744 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1740 wrote to memory of 1744 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1740 wrote to memory of 1744 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1744-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1744-2-0x0000000002110000-0x0000000002130000-memory.dmp
memory/1744-1-0x00000000020F0000-0x0000000002110000-memory.dmp
memory/1744-4-0x0000000002110000-0x0000000002130000-memory.dmp
memory/1744-3-0x00000000020F0000-0x0000000002110000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
449s
Max time network
1204s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 4048 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4472 wrote to memory of 4048 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/4048-0-0x00000204E8A20000-0x00000204E8A40000-memory.dmp
memory/4048-1-0x00000204E8A80000-0x00000204E8AA0000-memory.dmp
memory/4048-2-0x00000204E8AA0000-0x00000204E8AC0000-memory.dmp
memory/4048-3-0x00000204E8AC0000-0x00000204E8AE0000-memory.dmp
memory/4048-4-0x00000204E8AA0000-0x00000204E8AC0000-memory.dmp
memory/4048-5-0x00000204E8AC0000-0x00000204E8AE0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240419-en
Max time kernel
844s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 2260 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2436 wrote to memory of 2260 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2436 wrote to memory of 2260 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2260-0-0x0000000000420000-0x0000000000440000-memory.dmp
memory/2260-1-0x0000000002680000-0x00000000026A0000-memory.dmp
memory/2260-2-0x00000000026A0000-0x00000000026C0000-memory.dmp
memory/2260-3-0x0000000002680000-0x00000000026A0000-memory.dmp
memory/2260-4-0x00000000026A0000-0x00000000026C0000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240221-en
Max time kernel
840s
Max time network
1202s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2208 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2208 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2216-0-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2216-1-0x0000000000510000-0x0000000000530000-memory.dmp
memory/2216-2-0x0000000000530000-0x0000000000550000-memory.dmp
memory/2216-3-0x0000000000510000-0x0000000000530000-memory.dmp
memory/2216-4-0x0000000000530000-0x0000000000550000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240508-en
Max time kernel
554s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3600 wrote to memory of 1640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3600 wrote to memory of 1640 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/1640-0-0x00000258D9D40000-0x00000258D9D60000-memory.dmp
memory/1640-1-0x00007FF85D5F0000-0x00007FF85D8B9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240419-en
Max time kernel
844s
Max time network
1190s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1968 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1968 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/1980-2-0x00000000004E0000-0x0000000000500000-memory.dmp
memory/1980-1-0x00000000004C0000-0x00000000004E0000-memory.dmp
memory/1980-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1980-3-0x00000000004C0000-0x00000000004E0000-memory.dmp
memory/1980-4-0x00000000004E0000-0x0000000000500000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240508-en
Max time kernel
1193s
Max time network
1208s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 1112 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4520 wrote to memory of 1112 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4004,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
memory/1112-0-0x00000257AD460000-0x00000257AD480000-memory.dmp
memory/1112-1-0x00000257AEE50000-0x00000257AEE70000-memory.dmp
memory/1112-2-0x00000257AEE80000-0x00000257AEEA0000-memory.dmp
memory/1112-3-0x00000257AEEA0000-0x00000257AEEC0000-memory.dmp
memory/1112-4-0x00000257AEE80000-0x00000257AEEA0000-memory.dmp
memory/1112-5-0x00000257AEEA0000-0x00000257AEEC0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240221-en
Max time kernel
837s
Max time network
1197s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1308 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1308 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1308 wrote to memory of 2308 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2308-0-0x00000000000F0000-0x0000000000110000-memory.dmp
memory/2308-2-0x0000000001C40000-0x0000000001C60000-memory.dmp
memory/2308-1-0x0000000001C10000-0x0000000001C30000-memory.dmp
memory/2308-4-0x0000000001C40000-0x0000000001C60000-memory.dmp
memory/2308-3-0x0000000001C10000-0x0000000001C30000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240508-en
Max time kernel
842s
Max time network
1188s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2916 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2916 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/3012-0-0x0000000000310000-0x0000000000330000-memory.dmp
memory/3012-2-0x0000000002750000-0x0000000002770000-memory.dmp
memory/3012-1-0x00000000024C0000-0x00000000024E0000-memory.dmp
memory/3012-4-0x0000000002750000-0x0000000002770000-memory.dmp
memory/3012-3-0x00000000024C0000-0x00000000024E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
456s
Max time network
1202s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 4720 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3016 wrote to memory of 4720 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/4720-0-0x0000016758AA0000-0x0000016758AC0000-memory.dmp
memory/4720-1-0x0000016758AF0000-0x0000016758B10000-memory.dmp
memory/4720-2-0x0000016758B30000-0x0000016758B50000-memory.dmp
memory/4720-3-0x0000016758B10000-0x0000016758B30000-memory.dmp
memory/4720-4-0x0000016758B30000-0x0000016758B50000-memory.dmp
memory/4720-5-0x0000016758B10000-0x0000016758B30000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240220-en
Max time kernel
838s
Max time network
1191s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2916 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2916 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2632-0-0x00000000002F0000-0x0000000000310000-memory.dmp
memory/2632-2-0x00000000005E0000-0x0000000000600000-memory.dmp
memory/2632-1-0x00000000005C0000-0x00000000005E0000-memory.dmp
memory/2632-4-0x00000000005E0000-0x0000000000600000-memory.dmp
memory/2632-3-0x00000000005C0000-0x00000000005E0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20231129-en
Max time kernel
837s
Max time network
1204s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2152 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2152 wrote to memory of 2324 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2324-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2324-1-0x0000000002040000-0x0000000002060000-memory.dmp
memory/2324-2-0x00000000024A0000-0x00000000024C0000-memory.dmp
memory/2324-3-0x0000000002040000-0x0000000002060000-memory.dmp
memory/2324-4-0x00000000024A0000-0x00000000024C0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:49
Platform
win10v2004-20240426-en
Max time kernel
450s
Max time network
1196s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 1056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 5068 wrote to memory of 1056 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/1056-0-0x0000022ECC530000-0x0000022ECC550000-memory.dmp
memory/1056-1-0x0000022ECDE20000-0x0000022ECDE40000-memory.dmp
memory/1056-2-0x0000022ECDE40000-0x0000022ECDE60000-memory.dmp
memory/1056-3-0x0000022ECDE60000-0x0000022ECDE80000-memory.dmp
memory/1056-4-0x0000022ECDE40000-0x0000022ECDE60000-memory.dmp
memory/1056-5-0x0000022ECDE60000-0x0000022ECDE80000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
452s
Max time network
1199s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 1588 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3152 wrote to memory of 1588 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
Files
memory/1588-0-0x000001BEF4630000-0x000001BEF4650000-memory.dmp
memory/1588-1-0x000001BEF4680000-0x000001BEF46A0000-memory.dmp
memory/1588-2-0x000001BEF6040000-0x000001BEF6060000-memory.dmp
memory/1588-3-0x000001BEF6060000-0x000001BEF6080000-memory.dmp
memory/1588-4-0x000001BEF6040000-0x000001BEF6060000-memory.dmp
memory/1588-5-0x000001BEF6060000-0x000001BEF6080000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:33
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
294s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 3144 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3004 wrote to memory of 3144 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/3144-0-0x000001CD76780000-0x000001CD767A0000-memory.dmp
memory/3144-1-0x000001CD767D0000-0x000001CD767F0000-memory.dmp
memory/3144-3-0x000001CD76810000-0x000001CD76830000-memory.dmp
memory/3144-2-0x000001CD767F0000-0x000001CD76810000-memory.dmp
memory/3144-4-0x000001CD767F0000-0x000001CD76810000-memory.dmp
memory/3144-5-0x000001CD76810000-0x000001CD76830000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
456s
Max time network
1192s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4868 wrote to memory of 4952 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 4868 wrote to memory of 4952 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
Files
memory/4952-0-0x00000121D9880000-0x00000121D98A0000-memory.dmp
memory/4952-1-0x000001226BA50000-0x000001226BA70000-memory.dmp
memory/4952-2-0x000001226BEA0000-0x000001226BEC0000-memory.dmp
memory/4952-3-0x000001226C0D0000-0x000001226C0F0000-memory.dmp
memory/4952-4-0x000001226BEA0000-0x000001226BEC0000-memory.dmp
memory/4952-5-0x000001226C0D0000-0x000001226C0F0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
448s
Max time network
1204s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 2816 wrote to memory of 1624 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/1624-0-0x0000027F38FD0000-0x0000027F38FF0000-memory.dmp
memory/1624-1-0x0000027F3AA10000-0x0000027F3AA30000-memory.dmp
memory/1624-2-0x0000027F3AA30000-0x0000027F3AA50000-memory.dmp
memory/1624-3-0x0000027F3AA50000-0x0000027F3AA70000-memory.dmp
memory/1624-4-0x0000027F3AA30000-0x0000027F3AA50000-memory.dmp
memory/1624-5-0x0000027F3AA50000-0x0000027F3AA70000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win10v2004-20240426-en
Max time kernel
454s
Max time network
1196s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 4560 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 1240 wrote to memory of 4560 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/4560-0-0x0000026F84340000-0x0000026F84360000-memory.dmp
memory/4560-1-0x0000026F84390000-0x0000026F843B0000-memory.dmp
memory/4560-3-0x0000026F843D0000-0x0000026F843F0000-memory.dmp
memory/4560-2-0x0000026F843B0000-0x0000026F843D0000-memory.dmp
memory/4560-4-0x0000026F843B0000-0x0000026F843D0000-memory.dmp
memory/4560-5-0x0000026F843D0000-0x0000026F843F0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:48
Platform
win7-20240221-en
Max time kernel
839s
Max time network
1195s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 384 wrote to memory of 2996 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 384 wrote to memory of 2996 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 384 wrote to memory of 2996 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/2996-0-0x0000000000190000-0x00000000001B0000-memory.dmp
memory/2996-1-0x0000000002480000-0x00000000024A0000-memory.dmp
memory/2996-2-0x00000000024A0000-0x00000000024C0000-memory.dmp
memory/2996-3-0x0000000002480000-0x00000000024A0000-memory.dmp
memory/2996-4-0x00000000024A0000-0x00000000024C0000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-25 13:27
Reported
2024-05-25 13:33
Platform
win7-20240508-en
Max time kernel
117s
Max time network
303s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3016 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
| PID 3016 wrote to memory of 3040 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"
C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe
xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
Files
memory/3040-2-0x00000000024B0000-0x00000000024D0000-memory.dmp
memory/3040-1-0x0000000000620000-0x0000000000640000-memory.dmp
memory/3040-0-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/3040-4-0x00000000024B0000-0x00000000024D0000-memory.dmp
memory/3040-3-0x0000000000620000-0x0000000000640000-memory.dmp