We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win64/PennyCrypt.A!nri
Aliases: No associated aliases
Summary
Behavior:Win64/PennyCrypt.A!nri is a behavioral detection label Microsoft Defender uses to detect malicious runtime behavior on a 64-bit Windows device for PennyCrypt malware. This PennyCrypt variant is related to a malware signature that is known because of its behavioral monitoring of fileless operations, unauthorized use of resources, and command and control (C2) monitoring.
This malware is used to mine cryptocurrency or launch remote payloads by using an in-memory only implementation that is not caught by traditional antivirus scanning. The "!nri" suffix means that it is a non-replicating infection, meaning it doesn't self-spread. It was found through heuristic, or machine learning models, not through static signatures.
- Disconnect infected devices from networks/internet to halt C2 communications.
- Reset all user/administrator passwords and audit Active Directory for anomalous logins.
- Restore files from offline backups. Avoid cloud backups until disinfection is complete.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
