General
-
Target
NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe
-
Size
259KB
-
Sample
231106-3z5rpsab58
-
MD5
52bfbbeea419b32453306fbe9978576a
-
SHA1
a357439bd75ddf0f398d002cbb04e41182c225e5
-
SHA256
49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07
-
SHA512
a3419cefc4eae81026b514156b81a979eae42934d7c80b5c1c733efa9143b5b637412bdcf2b33ca330de3b1a0c0221e7340799b8b00883149951ab47110ff8a2
-
SSDEEP
3072:kVX+o2rgL565qeKPYBMaSTC4KGBQoHt7Erjazbach5lh60keCUj:8+7gLYUFYBDRuUjazb5h6TM
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe
-
Size
259KB
-
MD5
52bfbbeea419b32453306fbe9978576a
-
SHA1
a357439bd75ddf0f398d002cbb04e41182c225e5
-
SHA256
49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07
-
SHA512
a3419cefc4eae81026b514156b81a979eae42934d7c80b5c1c733efa9143b5b637412bdcf2b33ca330de3b1a0c0221e7340799b8b00883149951ab47110ff8a2
-
SSDEEP
3072:kVX+o2rgL565qeKPYBMaSTC4KGBQoHt7Erjazbach5lh60keCUj:8+7gLYUFYBDRuUjazb5h6TM
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2