e4606439b649d4635746c9a408e78492759398c12b952df2574ca871740002ad | Triage

Analysis

max time kernel
48s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-09-2024 07:40

Sharing

Report Analysis Logs

General

Target

PhoenixMiner_6.2c_Windows/13_ethereum-classic-poolin.bat
Size

488B
MD5

cf473c4171120c7ebba8a9b79d925c71
SHA1

3691717ed9088900cdac7596cdbc8f5afb3701c6
SHA256

e17ac45ec4710710f339e12727842439a9f9c175db3ed86eb7b3a1cd1edbaf8c
SHA512

8ca815d8673da10f50ff1e6f7381989a50d55eaf59ab1ff5105adb154975ad8813f141afb07d41859328932829e68d16260dd6888af7704e4ace2fa75d8f735e

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

PhoenixMiner.exe

pid process

3000 PhoenixMiner.exe
3000 PhoenixMiner.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3480 wrote to memory of 964	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 964	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 1576	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 1576	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 4444	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 4444	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 3104	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 3104	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 4456	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 4456	3480	cmd.exe	setx.exe
PID 3480 wrote to memory of 3000	3480	cmd.exe	PhoenixMiner.exe
PID 3480 wrote to memory of 3000	3480	cmd.exe	PhoenixMiner.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PhoenixMiner_6.2c_Windows\13_ethereum-classic-poolin.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\system32\setx.exe
setx GPU_FORCE_64BIT_PTR 0
2⤵
PID:964

C:\Windows\system32\setx.exe
setx GPU_MAX_HEAP_SIZE 100
2⤵
PID:1576

C:\Windows\system32\setx.exe
setx GPU_USE_SYNC_OBJECTS 1
2⤵
PID:4444

C:\Windows\system32\setx.exe
setx GPU_MAX_ALLOC_PERCENT 100
2⤵
PID:3104

C:\Windows\system32\setx.exe
setx GPU_SINGLE_ALLOC_PERCENT 100
2⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\PhoenixMiner_6.2c_Windows\PhoenixMiner.exe
PhoenixMiner.exe -pool stratum+tcp://etc.ss.poolin.one:443 -wal 0x360d6f9efea21c82d341504366fd1c2eeea8fa9d.Rig001 -coin etc
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads