General
-
Target
07b4f23ccc186d69b14f6108debf10c638d59fb0fedc73005392f7341d0bda98
-
Size
266KB
-
Sample
220605-n7nqtseder
-
MD5
12a01b885bb6b151cf2d044732e20af2
-
SHA1
825ab21f3c69f9e0f614731a7c9592bbfc2da50d
-
SHA256
07b4f23ccc186d69b14f6108debf10c638d59fb0fedc73005392f7341d0bda98
-
SHA512
25f88dee5d18350afe0dcc37d25269f93737d57a2ea01fc30c3cc8bf7fa9e724a48bfad5b5701a6c85374eb7e9e4b740d8963f554475a5d566eba147d056576d
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
07b4f23ccc186d69b14f6108debf10c638d59fb0fedc73005392f7341d0bda98
-
Size
266KB
-
MD5
12a01b885bb6b151cf2d044732e20af2
-
SHA1
825ab21f3c69f9e0f614731a7c9592bbfc2da50d
-
SHA256
07b4f23ccc186d69b14f6108debf10c638d59fb0fedc73005392f7341d0bda98
-
SHA512
25f88dee5d18350afe0dcc37d25269f93737d57a2ea01fc30c3cc8bf7fa9e724a48bfad5b5701a6c85374eb7e9e4b740d8963f554475a5d566eba147d056576d
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-