General
-
Target
d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
-
Size
270KB
-
Sample
220124-d3p3zsbbf6
-
MD5
dd21a90907a782df7b3e24a9de9822be
-
SHA1
cd0f545b5dd9c514511f27703e02527162cac6bb
-
SHA256
d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
-
SHA512
b3cf0ad508f787e5eb402960ca9696910140aad3d7c78117465738afab50804b2be9eb120e83cdd62d2a399d63100425d7ca0e10b33aa2baa0e8e4604055b9db
Static task
static1
Malware Config
Extracted
tofsee
patmushta.info
ovicrush.cn
Targets
-
-
Target
d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
-
Size
270KB
-
MD5
dd21a90907a782df7b3e24a9de9822be
-
SHA1
cd0f545b5dd9c514511f27703e02527162cac6bb
-
SHA256
d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
-
SHA512
b3cf0ad508f787e5eb402960ca9696910140aad3d7c78117465738afab50804b2be9eb120e83cdd62d2a399d63100425d7ca0e10b33aa2baa0e8e4604055b9db
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-