Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
206ca3f88f29ee80ca16649e17efcce1ee750c45ce1a6762f96f6d6d049993e5.zip
-
Size
128KB
-
Sample
231022-vlj9vadc43
-
MD5
6b3f851c87039eccc95e75c168e3f943
-
SHA1
d8bd8857ba75e9c54a6f30adf6e3ed1fe1e66922
-
SHA256
929316dc45a47682a15734ebd6528226795ab97eaf17b170ff26addefe9698cf
-
SHA512
b9607f0f3b56221d9bf5ca9de0ca0acf358d525fe2d8af3b0264aad9abd46c234b96cf5bd734fe668df475a8efb18930da18578bc36bd734dbbdb0e8c1814d3b
-
SSDEEP
3072:7WUTm1eUMZfJ9PmCoKF4BMPcUce1Kisv4tIa98JwdUJ8:l5f+KkUPKixSIZda8
Static task
static1
Behavioral task
behavioral1
Sample
206ca3f88f29ee80ca16649e17efcce1ee750c45ce1a6762f96f6d6d049993e5.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
206ca3f88f29ee80ca16649e17efcce1ee750c45ce1a6762f96f6d6d049993e5.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
206ca3f88f29ee80ca16649e17efcce1ee750c45ce1a6762f96f6d6d049993e5.exe
-
Size
254KB
-
MD5
400d83c136d4003e1137471d3900f267
-
SHA1
c26b5043bea1c3176d9d605b782010542ef7d26e
-
SHA256
206ca3f88f29ee80ca16649e17efcce1ee750c45ce1a6762f96f6d6d049993e5
-
SHA512
907cfcaa1b90d79261cbd84d3876a79d34de120ab4d6b34afef20aeef916efa1ce098967e9a568e57c476ab3f8af9ed19aa4541f91741299288cfbc881cccdd3
-
SSDEEP
3072:WyBNUf2KxA+GRKv3XgAYUzBefFzGdrgRiyVHhoLA48vQX:9FMA+KKvHgn4tIiyVHqL
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2