General
-
Target
695c14c51ae9ff59157cf69f97b2d1cc.bin
-
Size
158KB
-
Sample
231121-cfw3cacb7v
-
MD5
ca9a9666a207e990f46ad05d25358c52
-
SHA1
87633771425e23c2f00a417cff8ebf0a4f861608
-
SHA256
b086d97e03a2b2c371790b7407849084e5bca70002b82f20fbbad27c532f7c37
-
SHA512
df77bea5e9b80e95400575397fab4f6d7d4d4e3cbf7c0df57cd26961f69dd83d6d3d2a7df23fc8fb9824e46cf2f5304aa870e342d39242b0fe2a0ec25e60039e
-
SSDEEP
3072:cLikEKbj9LaGMf4GnzWf31BiAymSSnSkNnsEkp+CUaugfCF/PEEVRzFGt:cLbjaGM5MiAyGSrEkpayczF2
Static task
static1
Behavioral task
behavioral1
Sample
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
-
Size
265KB
-
MD5
695c14c51ae9ff59157cf69f97b2d1cc
-
SHA1
4688eea11efa5c61c7704b5ca80196eb9099e867
-
SHA256
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1
-
SHA512
e43e45420544f2fd736f2427443941f1da5b8d4a74d4c9d2e0a95c8306b2f10e12beaa6b0c2ec2715ecbd66b41431f404c942c32720a8b3ee2afa640657d4688
-
SSDEEP
3072:d6LaowspCAE+mYgDxv5l7Iek5Ym7IQoiteVFWbVD22WsgAsR6c7ovb3TQh9:SaWCAF5Cf7Iem57InitGMxycQMrT
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2