The DFIR Report (@TheDFIRReport )

The DFIR Report

Bio real intrusions by real attackers, the truth behind the intrusion
Tweets 23
Followers 587
Following 18
Account created 03-04-2020 01:33:43
ID 1245886895458078722

Twitter Web App : Another coin miner (XMRig) dropped in the honeypot...

rig2.exe

-Attrib used to hide C:\Windows\Fonts\Windows
-Cacls used to restrict folder access to System
-Scheduled Tasks used for persistence

13/71
virustotal.com/gui/file/eb45d…

app.any.run/tasks/cb70da65…