Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
file
-
Size
298KB
-
Sample
231014-cms92ada94
-
MD5
5182e126b6f798ddb20ac56c5ab4660d
-
SHA1
467a4e7708679aac87c2a4e98b9c69eba12dc21b
-
SHA256
d7b88f392653a4569f1f6a792d27ed75dcb22921915ff2cff23519d6eb8c673a
-
SHA512
37b25dc5c340817881922fc7b9fa4a06e1954cae86afee74d174c905e7be366edfe9329888bbcd46d3c8bae1d295c7dd13e0b78bc408d341b5d5d42c7301d4b8
-
SSDEEP
3072:w+uHkj3i/Gur0Z6sZgrKBRTM+4FvH9vxrFUkcVTcgpWvKV/Fy2L3:4Hci/GuoZ6pmBSJrJpUpV4gEY4
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
file
-
Size
298KB
-
MD5
5182e126b6f798ddb20ac56c5ab4660d
-
SHA1
467a4e7708679aac87c2a4e98b9c69eba12dc21b
-
SHA256
d7b88f392653a4569f1f6a792d27ed75dcb22921915ff2cff23519d6eb8c673a
-
SHA512
37b25dc5c340817881922fc7b9fa4a06e1954cae86afee74d174c905e7be366edfe9329888bbcd46d3c8bae1d295c7dd13e0b78bc408d341b5d5d42c7301d4b8
-
SSDEEP
3072:w+uHkj3i/Gur0Z6sZgrKBRTM+4FvH9vxrFUkcVTcgpWvKV/Fy2L3:4Hci/GuoZ6pmBSJrJpUpV4gEY4
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2