Malware Analysis Report

2025-01-06 13:56

Sample ID 240525-rw5fzsfh4s
Target miner 2.55555.rar
SHA256 f5bd0ebcfc01b3431f67795b918ea0220ec4204530a959b2c161afecf61b74aa
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5bd0ebcfc01b3431f67795b918ea0220ec4204530a959b2c161afecf61b74aa

Threat Level: Known bad

The file miner 2.55555.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

Xmrig family

XMRig Miner payload

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 14:33

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win7-20240508-en

Max time kernel

838s

Max time network

1208s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2420-0-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2420-1-0x00000000007F0000-0x0000000000810000-memory.dmp

memory/2420-2-0x0000000000810000-0x0000000000830000-memory.dmp

memory/2420-3-0x00000000007F0000-0x0000000000810000-memory.dmp

memory/2420-4-0x0000000000810000-0x0000000000830000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win10v2004-20240508-en

Max time kernel

449s

Max time network

1211s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/448-0-0x0000014A5FA60000-0x0000014A5FA80000-memory.dmp

memory/448-1-0x0000014A61460000-0x0000014A61480000-memory.dmp

memory/448-3-0x0000014A614A0000-0x0000014A614C0000-memory.dmp

memory/448-2-0x0000014A61480000-0x0000014A614A0000-memory.dmp

memory/448-4-0x0000014A61480000-0x0000014A614A0000-memory.dmp

memory/448-5-0x0000014A614A0000-0x0000014A614C0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240221-en

Max time kernel

837s

Max time network

1204s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1624-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1624-2-0x00000000006D0000-0x00000000006F0000-memory.dmp

memory/1624-1-0x0000000000610000-0x0000000000630000-memory.dmp

memory/1624-4-0x00000000006D0000-0x00000000006F0000-memory.dmp

memory/1624-3-0x0000000000610000-0x0000000000630000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win10v2004-20240508-en

Max time kernel

441s

Max time network

1199s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/1628-0-0x000002393E940000-0x000002393E960000-memory.dmp

memory/1628-1-0x0000023940230000-0x0000023940250000-memory.dmp

memory/1628-2-0x0000023940250000-0x0000023940270000-memory.dmp

memory/1628-3-0x0000023940270000-0x0000023940290000-memory.dmp

memory/1628-4-0x0000023940250000-0x0000023940270000-memory.dmp

memory/1628-5-0x0000023940270000-0x0000023940290000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win7-20240215-en

Max time kernel

844s

Max time network

1195s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2108-0-0x0000000000200000-0x0000000000220000-memory.dmp

memory/2108-2-0x0000000000510000-0x0000000000530000-memory.dmp

memory/2108-1-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/2108-4-0x0000000000510000-0x0000000000530000-memory.dmp

memory/2108-3-0x00000000004F0000-0x0000000000510000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win7-20240221-en

Max time kernel

843s

Max time network

1202s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2100-0-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2100-2-0x00000000023A0000-0x00000000023C0000-memory.dmp

memory/2100-1-0x0000000000500000-0x0000000000520000-memory.dmp

memory/2100-3-0x0000000000500000-0x0000000000520000-memory.dmp

memory/2100-4-0x00000000023A0000-0x00000000023C0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

453s

Max time network

1206s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4336-0-0x000001FC89E90000-0x000001FC89EB0000-memory.dmp

memory/4336-1-0x000001FC89EE0000-0x000001FC89F00000-memory.dmp

memory/4336-3-0x000001FD1C6B0000-0x000001FD1C6D0000-memory.dmp

memory/4336-2-0x000001FC89F00000-0x000001FC89F20000-memory.dmp

memory/4336-4-0x000001FC89F00000-0x000001FC89F20000-memory.dmp

memory/4336-5-0x000001FD1C6B0000-0x000001FD1C6D0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win10v2004-20240426-en

Max time kernel

871s

Max time network

1202s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/2284-0-0x0000019441F50000-0x0000019441F70000-memory.dmp

memory/2284-1-0x00000194438C0000-0x00000194438E0000-memory.dmp

memory/2284-2-0x00000194438E0000-0x0000019443900000-memory.dmp

memory/2284-3-0x0000019443900000-0x0000019443920000-memory.dmp

memory/2284-4-0x00000194438E0000-0x0000019443900000-memory.dmp

memory/2284-5-0x0000019443900000-0x0000019443920000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win7-20240221-en

Max time kernel

841s

Max time network

1197s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2708-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2708-2-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2708-1-0x00000000002D0000-0x00000000002F0000-memory.dmp

memory/2708-4-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2708-3-0x00000000002D0000-0x00000000002F0000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win10v2004-20240426-en

Max time kernel

449s

Max time network

1195s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (15).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3772-0-0x000001BE379C0000-0x000001BE379E0000-memory.dmp

memory/3772-1-0x000001BE392F0000-0x000001BE39310000-memory.dmp

memory/3772-3-0x000001BE39330000-0x000001BE39350000-memory.dmp

memory/3772-2-0x000001BE39310000-0x000001BE39330000-memory.dmp

memory/3772-4-0x000001BE39310000-0x000001BE39330000-memory.dmp

memory/3772-5-0x000001BE39330000-0x000001BE39350000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win7-20240221-en

Max time kernel

841s

Max time network

1199s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2836-0-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2836-2-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/2836-1-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/2836-4-0x00000000004F0000-0x0000000000510000-memory.dmp

memory/2836-3-0x00000000004D0000-0x00000000004F0000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win10v2004-20240508-en

Max time kernel

447s

Max time network

1194s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3748-0-0x0000014B7B0C0000-0x0000014B7B0E0000-memory.dmp

memory/3748-1-0x0000014B7C9F0000-0x0000014B7CA10000-memory.dmp

memory/3748-3-0x0000014B7CA30000-0x0000014B7CA50000-memory.dmp

memory/3748-2-0x0000014B7CA10000-0x0000014B7CA30000-memory.dmp

memory/3748-4-0x0000014B7CA10000-0x0000014B7CA30000-memory.dmp

memory/3748-5-0x0000014B7CA30000-0x0000014B7CA50000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

445s

Max time network

1197s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2780-0-0x000001EBC6A00000-0x000001EBC6A20000-memory.dmp

memory/2780-1-0x000001EBC6B50000-0x000001EBC6B70000-memory.dmp

memory/2780-2-0x000001EBC6B70000-0x000001EBC6B90000-memory.dmp

memory/2780-3-0x000001EBC6B90000-0x000001EBC6BB0000-memory.dmp

memory/2780-4-0x000001EBC6B70000-0x000001EBC6B90000-memory.dmp

memory/2780-5-0x000001EBC6B90000-0x000001EBC6BB0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240215-en

Max time kernel

838s

Max time network

1192s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2444-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2444-2-0x0000000002120000-0x0000000002140000-memory.dmp

memory/2444-1-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/2444-3-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/2444-4-0x0000000002120000-0x0000000002140000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:41

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

299s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (11).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1100-0-0x00000246E9220000-0x00000246E9240000-memory.dmp

memory/1100-1-0x00007FFB72FF0000-0x00007FFB73146000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240419-en

Max time kernel

840s

Max time network

1204s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (13).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2240-0-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2240-1-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/2240-2-0x0000000000500000-0x0000000000520000-memory.dmp

memory/2240-3-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/2240-4-0x0000000000500000-0x0000000000520000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win7-20240220-en

Max time kernel

842s

Max time network

1192s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1508-0-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/1508-1-0x0000000002130000-0x0000000002150000-memory.dmp

memory/1508-2-0x0000000002150000-0x0000000002170000-memory.dmp

memory/1508-3-0x0000000002130000-0x0000000002150000-memory.dmp

memory/1508-4-0x0000000002150000-0x0000000002170000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

845s

Max time network

1200s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4544-0-0x000001BE32570000-0x000001BE32590000-memory.dmp

memory/4544-1-0x000001BE33FB0000-0x000001BE33FD0000-memory.dmp

memory/4544-2-0x000001BE33FD0000-0x000001BE33FF0000-memory.dmp

memory/4544-3-0x000001BE33FF0000-0x000001BE34010000-memory.dmp

memory/4544-4-0x000001BE33FD0000-0x000001BE33FF0000-memory.dmp

memory/4544-5-0x000001BE33FF0000-0x000001BE34010000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

454s

Max time network

1203s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (14).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/1144-0-0x00000210DD410000-0x00000210DD430000-memory.dmp

memory/1144-1-0x00000210DD460000-0x00000210DD480000-memory.dmp

memory/1144-3-0x00000210DD4A0000-0x00000210DD4C0000-memory.dmp

memory/1144-2-0x00000210DD480000-0x00000210DD4A0000-memory.dmp

memory/1144-4-0x00000210DD480000-0x00000210DD4A0000-memory.dmp

memory/1144-5-0x00000210DD4A0000-0x00000210DD4C0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win10v2004-20240426-en

Max time kernel

437s

Max time network

1201s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (16).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4552-0-0x0000021D3C5A0000-0x0000021D3C5C0000-memory.dmp

memory/4552-1-0x0000021D3C6D0000-0x0000021D3C6F0000-memory.dmp

memory/4552-3-0x0000021DCED90000-0x0000021DCEDB0000-memory.dmp

memory/4552-2-0x0000021DCEB60000-0x0000021DCEB80000-memory.dmp

memory/4552-5-0x0000021DCED90000-0x0000021DCEDB0000-memory.dmp

memory/4552-4-0x0000021DCEB60000-0x0000021DCEB80000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win10v2004-20240508-en

Max time kernel

1193s

Max time network

1206s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (3).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2700,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4408,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp

Files

memory/1684-0-0x000001D92CE80000-0x000001D92CEA0000-memory.dmp

memory/1684-1-0x000001D92CED0000-0x000001D92CEF0000-memory.dmp

memory/1684-3-0x000001D92CF10000-0x000001D92CF30000-memory.dmp

memory/1684-2-0x000001D92CEF0000-0x000001D92CF10000-memory.dmp

memory/1684-4-0x000001D92CEF0000-0x000001D92CF10000-memory.dmp

memory/1684-5-0x000001D92CF10000-0x000001D92CF30000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

613s

Max time network

1205s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3936-0-0x00000234E3440000-0x00000234E3460000-memory.dmp

memory/3936-1-0x00000234E4E40000-0x00000234E4E60000-memory.dmp

memory/3936-2-0x00000234E4E60000-0x00000234E4E80000-memory.dmp

memory/3936-3-0x00000234E4E80000-0x00000234E4EA0000-memory.dmp

memory/3936-4-0x00000234E4E60000-0x00000234E4E80000-memory.dmp

memory/3936-5-0x00000234E4E80000-0x00000234E4EA0000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:56

Platform

win7-20240419-en

Max time kernel

840s

Max time network

1201s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2100-0-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2100-2-0x00000000021D0000-0x00000000021F0000-memory.dmp

memory/2100-1-0x00000000021B0000-0x00000000021D0000-memory.dmp

memory/2100-4-0x00000000021D0000-0x00000000021F0000-memory.dmp

memory/2100-3-0x00000000021B0000-0x00000000021D0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win7-20240221-en

Max time kernel

838s

Max time network

1205s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

Signatures

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2184-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2184-2-0x0000000001EA0000-0x0000000001EC0000-memory.dmp

memory/2184-1-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2184-4-0x0000000001EA0000-0x0000000001EC0000-memory.dmp

memory/2184-3-0x00000000001B0000-0x00000000001D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win10v2004-20240508-en

Max time kernel

1177s

Max time network

1213s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/232-0-0x00000145DA720000-0x00000145DA740000-memory.dmp

memory/232-1-0x00000145DA880000-0x00000145DA8A0000-memory.dmp

memory/232-3-0x00000145DA8C0000-0x00000145DA8E0000-memory.dmp

memory/232-2-0x00000145DA8A0000-0x00000145DA8C0000-memory.dmp

memory/232-4-0x00000145DA8A0000-0x00000145DA8C0000-memory.dmp

memory/232-5-0x00000145DA8C0000-0x00000145DA8E0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240426-en

Max time kernel

447s

Max time network

1202s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4508-0-0x000001EBD33A0000-0x000001EBD33C0000-memory.dmp

memory/4508-1-0x000001EBD33F0000-0x000001EBD3410000-memory.dmp

memory/4508-2-0x000001EBD3410000-0x000001EBD3430000-memory.dmp

memory/4508-3-0x000001EBD3430000-0x000001EBD3450000-memory.dmp

memory/4508-4-0x000001EBD3410000-0x000001EBD3430000-memory.dmp

memory/4508-5-0x000001EBD3430000-0x000001EBD3450000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240419-en

Max time kernel

841s

Max time network

1202s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (4).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/1692-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/1692-1-0x00000000004C0000-0x00000000004E0000-memory.dmp

memory/1692-2-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/1692-3-0x00000000004C0000-0x00000000004E0000-memory.dmp

memory/1692-4-0x00000000004E0000-0x0000000000500000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240508-en

Max time kernel

837s

Max time network

1195s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (12).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2268-0-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2268-2-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2268-1-0x00000000002D0000-0x00000000002F0000-memory.dmp

memory/2268-4-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2268-3-0x00000000002D0000-0x00000000002F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:54

Platform

win7-20240221-en

Max time kernel

842s

Max time network

1191s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (2).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2708-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2708-2-0x00000000024A0000-0x00000000024C0000-memory.dmp

memory/2708-1-0x0000000002130000-0x0000000002150000-memory.dmp

memory/2708-4-0x00000000024A0000-0x00000000024C0000-memory.dmp

memory/2708-3-0x0000000002130000-0x0000000002150000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240508-en

Max time kernel

840s

Max time network

1196s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2144-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2144-2-0x00000000005F0000-0x0000000000610000-memory.dmp

memory/2144-1-0x00000000004C0000-0x00000000004E0000-memory.dmp

memory/2144-3-0x00000000004C0000-0x00000000004E0000-memory.dmp

memory/2144-4-0x00000000005F0000-0x0000000000610000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win10v2004-20240508-en

Max time kernel

446s

Max time network

1193s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy (5) - Copy.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/5112-0-0x0000011AD4D00000-0x0000011AD4D20000-memory.dmp

memory/5112-1-0x0000011AD4E50000-0x0000011AD4E70000-memory.dmp

memory/5112-3-0x0000011B674F0000-0x0000011B67510000-memory.dmp

memory/5112-2-0x0000011B672C0000-0x0000011B672E0000-memory.dmp

memory/5112-4-0x0000011B672C0000-0x0000011B672E0000-memory.dmp

memory/5112-5-0x0000011B674F0000-0x0000011B67510000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-25 14:33

Reported

2024-05-25 14:55

Platform

win7-20240221-en

Max time kernel

840s

Max time network

1192s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\pool_mine_example - Copy - Copy (10).cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.55555\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2636-0-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2636-2-0x00000000024A0000-0x00000000024C0000-memory.dmp

memory/2636-1-0x0000000000630000-0x0000000000650000-memory.dmp

memory/2636-4-0x00000000024A0000-0x00000000024C0000-memory.dmp

memory/2636-3-0x0000000000630000-0x0000000000650000-memory.dmp