General
-
Target
a4890b770988697b0c12b5c7038f115d99c13f1f59e592f467a514a4d3ccc4e0
-
Size
145KB
-
Sample
240417-r7j97aec6y
-
MD5
05f4da07394f474157dcb4aef8dd1a40
-
SHA1
abba5a54bceffd40b219f0fcb5151169d1b5365a
-
SHA256
a4890b770988697b0c12b5c7038f115d99c13f1f59e592f467a514a4d3ccc4e0
-
SHA512
04a1efc6fe1788db68b081fecdfbef1652b8de237c9721eb3d14991af54f51fa3ecc7cabba18a14e720d6f40726398cfa9d3b219ad92f2b2c99ab1cb0627ce75
-
SSDEEP
3072:0KP5H6PGy0Lv6V/XN4wSc/EfTDT7b7+5A/qmxUMKNz6/PGk9iMjrCPLhNWBOr8RU:0KEXf57TEffT7b7iwuMCz6T9Fj2jhNWO
Static task
static1
Behavioral task
behavioral1
Sample
7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8.exe
-
Size
229KB
-
MD5
ddb3205a92ff18ae17b3f9f93c7b197c
-
SHA1
b77c666a2d7b1f63ba08316f9a221be6ac1f786a
-
SHA256
7c44a7de2a7c4175c761e08a2de5d2acd42ad3195d7686e5b8d507f99c30adc8
-
SHA512
db659ead4fd2ed186f221adf5bb9ab5b686253454eeb307ba247a99d8026c009d72ed11473d4622146c7b6cf59f445ad3b020ac3394d3f61af5bfd385b43c334
-
SSDEEP
3072:lnUQviqZALXadUs0vEJimn1K29YbqYZgpLneYDR89fJ5j3UxS6MeILYS:lnUzPjflapLnsdT3U2eILY
Score10/10-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1