General
-
Target
NEAS.0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0exe_JC.exe
-
Size
264KB
-
Sample
231026-wnlq5adf6x
-
MD5
4db89e4fc069a41e4bb9d415b09bcb68
-
SHA1
f0f7ffe7c838718140a155810900b173ae71b7f3
-
SHA256
0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0
-
SHA512
cd2989a330180dd0a90780a2114695f782ce731627edb59b0474bc798100a6f9640ea095222202a086885cd8b32b388ec8dde822345ca346a9dba876a236c525
-
SSDEEP
3072:bsXo5bRdAcrVHLrAIc6mxksjEkpwaE6KZX9ld3FOV+B3XH9B5Gfk9QoQb:8CbRPRL3c6mhTSaEvn3FOVaHUfk
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0exe_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0exe_JC.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
NEAS.0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0exe_JC.exe
-
Size
264KB
-
MD5
4db89e4fc069a41e4bb9d415b09bcb68
-
SHA1
f0f7ffe7c838718140a155810900b173ae71b7f3
-
SHA256
0a789303f7862ae6c864bff0e9cb793b8b8f43a88e7545c4656c2d77563b2fa0
-
SHA512
cd2989a330180dd0a90780a2114695f782ce731627edb59b0474bc798100a6f9640ea095222202a086885cd8b32b388ec8dde822345ca346a9dba876a236c525
-
SSDEEP
3072:bsXo5bRdAcrVHLrAIc6mxksjEkpwaE6KZX9ld3FOV+B3XH9B5Gfk9QoQb:8CbRPRL3c6mhTSaEvn3FOVaHUfk
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2