General
-
Target
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.zip
-
Size
158KB
-
Sample
231119-z4c1psce31
-
MD5
3954d90937944936b0a10d6e7566ec78
-
SHA1
4a4d9635f44089f57251d50030963ac7635eee38
-
SHA256
66782bd3ba0f90793030b8bab0108c6467758a807ac2b7fc55b4ae5e9152cadf
-
SHA512
8f073a568f29ed1ee0b28d4ec21a1d4fe91a4a7d4b9a9ef3d87b6881ef486e4e2e0bbc58823873d1c064fd9116b8f7f98b9cf2fd5a27ffffc600bcb0a669d5b4
-
SSDEEP
3072:fUuwoSlDLneZWBreU9Yz6DOSE1nQavPoiSOduOYlJz0y7almISu6:fUJoSn9eU9jE1nCiSJPB5T3
Static task
static1
Behavioral task
behavioral1
Sample
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
Resource
win10v2004-20231025-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
-
Size
274KB
-
MD5
59e1227450eb946f0eb83fad2f72b1f5
-
SHA1
b78400bfe2fb0dbe892b1dff5220a7de2c43dfc6
-
SHA256
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652
-
SHA512
19fd57f8a026cd2cc64f4d8ac99538b9d90f9a33a3d70c2061131ea5094a53fa0c4bf23a6adaf51d06bdd799236860311cb4f67e7503ac43259461aedfeda1c2
-
SSDEEP
3072:QlnO9lcF4LS5ZUsBHS9R071uEcR647ovb3Trh6e:UnXKL+By9R0ooMMrT
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2