Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 13:45
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe
-
Size
281KB
-
MD5
5c904a8dc20451ed7484e73fb5cb7d58
-
SHA1
83dc2bc83549288f5b30d84170ff49bab31948b6
-
SHA256
e39cfce52a0cf7afaff83c135542b1efba4a1f04582fe3565bd5fc3b2e041f86
-
SHA512
6740e8e2fde6df2ad63fb25dab60d7a6e187ec310cc2f8e126189f4d0dff3bf102e69c60dc4ade1cb4f55d60915a9d0420ef4cbceb79b462ffd9d7e53e1248e6
Malware Config
Extracted
xloader
http://www.greensborohemorrhoidclinic.com/pkfa/
keto-easy.xyz
shizuoka-kensetsukyoka.com
biubiu.one
thepainreliefsolution.com
realternews.com
kienthucthuvi.online
bernardrobert.com
superheroesindisguise.com
albacafe.com
disocverpersonaloans.com
crimson-explicit.com
darkwidowerhumor.com
shamanredfox.com
zeno-services.com
worksmade.com
danielsenterprisesllc.com
dolebs.com
gewoongroen.com
maxtrustplumbing.com
katiebethhedges.com
terapiaimmunotec.com
devopsrise.com
michaelssavage.com
marketing-automatisierung.info
groovycannabisclub.com
lhyssy.com
bluecassandra.com
se-xe.com
sgeorgopoulos.com
jerseycoastcollectibles.com
babymoo.net
cowbex.info
nasibakarroa.com
socialjusticeprinting.com
significationdescouleurs.net
viattico.com
avaliadressage.com
affinem.com
battletrip.net
reassignedartwork.com
lojinhadocesucesso.com
missviviansbednbiscuit.com
tkbiomaterial.com
peripheralshubham.com
pondriver.com
300-cn.com
coffeedownloaded.com
videocast.company
xtremedungeonmaster.com
nqndental.com
landmarkblockpaving.com
kitakansembunyiii07.com
mercatoaperto.com
carreronline.com
funibikes.com
erinisatool.com
marinism-recidivist.info
rayspree.net
shivalayadivyam.com
stoneeyeguy.com
stringerandcompanylondon.com
technicalbackoffice.com
chelseybalassi.com
proudlyelectronics.net
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1228-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exepid process 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exedescription pid process target process PID 1096 set thread context of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exeSecuriteInfo.com.Variant.Strictor.256388.26415.23730.exepid process 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe 1228 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exepid process 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exedescription pid process target process PID 1096 wrote to memory of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe PID 1096 wrote to memory of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe PID 1096 wrote to memory of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe PID 1096 wrote to memory of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe PID 1096 wrote to memory of 1228 1096 SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.256388.26415.23730.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc1739.tmp\aaf1fydp.dllMD5
d260a79e48b6017ea49be2df821ff9a3
SHA1066b5bd854a26cedb955e6f670bc4e82fa2c56ae
SHA256bef5331af6e542f26e48a425ec42e9c8e983938e29a483de98ccbf783291acfe
SHA5127f705fa93232310edb250c6c4ba3a3dbc75a1e4ab4c24dcbdae1cfb68e3a122b2abbe9c437d2a0eb1c195db8380f5203ca6685fd714730e56b93bfefdcc5c66d
-
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1228-4-0x000000000041D150-mapping.dmp
-
memory/1228-6-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1228-5-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB