General
-
Target
d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30
-
Size
160KB
-
Sample
231106-p1n9fscg77
-
MD5
af6dcb7c00f3fbd62c781f48e9222d1f
-
SHA1
8be7b4c4eeb7e8ee2097ccf6e4c6d945e22aeb57
-
SHA256
e5e58683c4bb0d2c8ff4246401ab427fe7313661c6b9aeb9a93e7be4da4f66c5
-
SHA512
de723c7d675aab5edbedb078d73bfb249034bbf28e4a94a1e9c2712c6f7670c671ab3543b7b393f8d3a3e589c5dc71636198b9e7a45df1579252b92cef09e5fb
-
SSDEEP
3072:OxakXePiPcI8Xih7M83a4IRKeGaxLKLDrOrKW7stu6oUButotxmC2nh8cs:1+3PcbCMiERtGnL2rKWxU8yd2nhzs
Static task
static1
Behavioral task
behavioral1
Sample
d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30
-
Size
254KB
-
MD5
ccfb3ad139d84573e8083854eec1b59d
-
SHA1
f1993c2870e9d3216e74683a9c4e2c77c255f4b2
-
SHA256
d139ef26bf3b435fbb04a3bbfee83b94bd4c9c75799e6c4efe36dc53b588bb30
-
SHA512
6e153b8dc4e35d6e1fbb037fb7a9b30efda1a40aa51633bb00d794eb109d303a931add77eb2d5f43da963ec7583be1ff5d9b1d0699815be53083d2105398fed6
-
SSDEEP
6144:QRI7tWsLnf64lyPtVyaL2rK8Zbz33pnMjHp:mds764ytVyaC2Ov3iH
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2