Analysis
-
max time kernel
73s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 22:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe
-
Size
164KB
-
MD5
1da73d4931cd6893f7b9fc765225a62d
-
SHA1
cdc4992d5e425628b1c12c51d64a9105824bacc5
-
SHA256
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
-
SHA512
fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
Malware Config
Extracted
xloader
http://www.pardsoda.com/w25t/
nowayinlocksmith.com
bookaprovider.com
joybirder.com
decoracerrado.com
preciousmonments.com
96kixx.com
parentseducationalco-op.com
cbdandbtc.com
santanadeliciasymas.com
finecharlottehomes.com
themanibox.com
backupasia.com
buffalodetailstore.com
iprdo.com
croce-komeko.com
bluechipsgroup.company
truyencow.com
globalism.online
oicrafts.com
naturalawakeningsprograms.com
findsurreydeltahomes.com
dressing.cat
tavazonfund.com
defichair.com
str8firekennels.com
lenskart.site
salahdinortho.com
3tothrive.com
watchsdeals.com
plethoracosmetics.net
kentland33store.com
abbaszawawi.com
resepmasakankita.info
tomschoices.net
xn--livezoty-bpb.com
sixteen3handscottages.com
elliesuesews.com
mylordismyshepherd.com
chaing-list.xyz
asesorgrupovivir.com
kicked2theothercurb.com
nemahealthcare.com
allsalesvinyl.net
crystal-beachclub.com
mprose.net
chooseone.xyz
glasgowldn2009.com
getyourquan.com
nailpolishng.com
myeunoiateacompany.com
tobaccomangalt.com
honggedichan.com
beleafagency.com
zhonghuixingyue.com
fitnessworldexample.com
skdocm.club
buygenerations.com
aressdsg.com
auberge-escotais.com
claritycleaningsystems.com
riru300.com
aserchofalltrades.com
blackholidayco.com
bookclubspeakers.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3288-8-0x0000000000401000-0x0000000000541000-memory.dmp xloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exeSecuriteInfo.com.Variant.Midie.79660.31247.11578.exepid process 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe 3288 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe 3288 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exedescription pid process target process PID 636 set thread context of 3288 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exepid process 3288 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe 3288 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exepid process 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exepid process 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.Variant.Midie.79660.31247.11578.exedescription pid process target process PID 636 wrote to memory of 3288 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe PID 636 wrote to memory of 3288 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe PID 636 wrote to memory of 3288 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe PID 636 wrote to memory of 3288 636 SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-4-0x0000000002380000-0x000000000238B000-memory.dmpFilesize
44KB
-
memory/3288-5-0x00000000004018E4-mapping.dmp
-
memory/3288-6-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/3288-7-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3288-8-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/3288-9-0x000000001E710000-0x000000001EA30000-memory.dmpFilesize
3.1MB