General
-
Target
8dd54a2cf3be8a7893f9c4cf474b29a5ebe95558a404e551faf95cd0dc65018c
-
Size
262KB
-
Sample
220606-ntk3sacbdj
-
MD5
b0431de64e84ffb815a80ee55e252c64
-
SHA1
cb0ca7154c63ae2e241880d9e535396c1e9a2a24
-
SHA256
8dd54a2cf3be8a7893f9c4cf474b29a5ebe95558a404e551faf95cd0dc65018c
-
SHA512
c3ff01ab26aefa24b8cbad807a1158ae9e796b8ff8ad4d42cbc33562b0360f2c0571711c18ad35f04ace8608057e988bb5692f22b5ae3d73c114271c32d464cc
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
8dd54a2cf3be8a7893f9c4cf474b29a5ebe95558a404e551faf95cd0dc65018c
-
Size
262KB
-
MD5
b0431de64e84ffb815a80ee55e252c64
-
SHA1
cb0ca7154c63ae2e241880d9e535396c1e9a2a24
-
SHA256
8dd54a2cf3be8a7893f9c4cf474b29a5ebe95558a404e551faf95cd0dc65018c
-
SHA512
c3ff01ab26aefa24b8cbad807a1158ae9e796b8ff8ad4d42cbc33562b0360f2c0571711c18ad35f04ace8608057e988bb5692f22b5ae3d73c114271c32d464cc
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-