General
-
Target
84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.zip
-
Size
160KB
-
Sample
231119-zj7dtabd97
-
MD5
54abfdfee2051fdc2f9746c18f72da61
-
SHA1
c68199a93664434dd175432793ba5ef9c1509f21
-
SHA256
5dc792bf16fa99e33e3270248f62bc7c5ae17c29c25347b59013ccbb8a5de7eb
-
SHA512
1d9db79126978a7c0749d28f712287b00ed202bbbb0a36851208050f04639236efb07a8e7f996cf32e598c99bb228b2cacae8261973d0e851b494b916ceda5fd
-
SSDEEP
3072:NTHFfEgUAMRDt0WyFcW0YFBIXZ9+W4bUr8y8xAnHaoJhUwkAVnBxSvjMWMnI:NTHTIDtTwjID+LwrOxAnHNJhmAVnHAV
Static task
static1
Behavioral task
behavioral1
Sample
84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.exe
Resource
win10v2004-20231025-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.exe
-
Size
247KB
-
MD5
17f7e745dbc9477f5edbb4a02df91b06
-
SHA1
896216645904844e1c012a4ce76234d0c6795f97
-
SHA256
84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96
-
SHA512
b36ee1060d897d5b19e0e779ca48f9a7a336bcce2700c9c6c6eb549dfd9a49174262d39655079e0704a44749e280aefcb9813da4b7ce354b2105b74f374c2e9b
-
SSDEEP
6144:h/1BvthPXgbdbpePeXYD4JFKtFF9duXI5:J1FLfOBsee44F9duXI
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2