General
-
Target
f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364
-
Size
231KB
-
Sample
231121-fkycracd88
-
MD5
c960d953cd6db802cdd90faebe88c756
-
SHA1
014d7e29c36f8ba13d0a4a61c172f162a043b748
-
SHA256
f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364
-
SHA512
320ec08d441d42027a285acd2338f03dba061199625712f1cffca31bbd40892e15504ab1a286dbba467e2754b8e03f64265a34ab01a7f31e180d3d2e14565f39
-
SSDEEP
6144:Z9r+JOmzUe4UM52Ly4k6UKwGnPsdlYrI:0b4UMlJfKRPs7
Static task
static1
Behavioral task
behavioral1
Sample
f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364.exe
Resource
win7-20231023-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364
-
Size
231KB
-
MD5
c960d953cd6db802cdd90faebe88c756
-
SHA1
014d7e29c36f8ba13d0a4a61c172f162a043b748
-
SHA256
f0b7156b726240e3431e8eec398d67561cea81624f0f7c8cda392fef21fb2364
-
SHA512
320ec08d441d42027a285acd2338f03dba061199625712f1cffca31bbd40892e15504ab1a286dbba467e2754b8e03f64265a34ab01a7f31e180d3d2e14565f39
-
SSDEEP
6144:Z9r+JOmzUe4UM52Ly4k6UKwGnPsdlYrI:0b4UMlJfKRPs7
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2