General
-
Target
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip
-
Size
164KB
-
Sample
231119-zh3n8scb91
-
MD5
fa3a3e958817e5d9b90a8580395f972f
-
SHA1
7a673916fff9a435d9ffc9721e0678057be48b48
-
SHA256
187ac7008c17b951e0d2cbfef73407e938c2e78008ea4d59a534496f067104c4
-
SHA512
75fe8ad9a73b72c0dc8729d09c55de486b00c4e3a218b2c6522c7ce06b90d2783023228f2ccf637b02ae7186776721b1dcea1cccbc2e4bc0d7f5a00ffc3406f4
-
SSDEEP
3072:AnvZhNZfhFXIEE0kUtMhl7oWNZIbRSx4iZZhKIrvzWIM2J46vPK93h:AvZd7XIEE0kJ3kWNZIlS2WFvCipQ3h
Static task
static1
Behavioral task
behavioral1
Sample
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
-
Size
254KB
-
MD5
02ac11d7691ed7141949fc5c03d5aae8
-
SHA1
b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac
-
SHA256
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee
-
SHA512
c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e
-
SSDEEP
3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2