Analysis
-
max time kernel
12s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-04-2021 07:56
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe
-
Size
208KB
-
MD5
cc10e107d3dda5d8f78c1ecbd1cb5b2a
-
SHA1
f84f5268842991d4db24093bad17539bee29cb54
-
SHA256
5191f6a6fc1500632342d4820e8abd7c1d32c105f56399a2cece4e4db1fa77bb
-
SHA512
3aa55bbcb41b4daa54ed6e233f612458d3797b6605a99b5e2956ff2f9e52e21c13ee2ac868e4cef221c7a5836aed6e865ebedfafacb09ce9f85f1cfb9eee9e01
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1904-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exepid process 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exedescription pid process target process PID 3652 set thread context of 1904 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exepid process 1904 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe 1904 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exepid process 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exedescription pid process target process PID 3652 wrote to memory of 1904 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe PID 3652 wrote to memory of 1904 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe PID 3652 wrote to memory of 1904 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe PID 3652 wrote to memory of 1904 3652 SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e3e6c2219d9d342cff133a8fa512b2af
SHA1d521b781cfddce16011c4c8c71da69f2baafd0e0
SHA256ea82ec84d3fd7d52e55de18b097591ec2f8c7a995e89a27069fef571e90bc189
SHA51254e1d626b39dea8723682eb7902567a47897cb959e90988e093795eedd9accb535b844e920fac318bc189361a624a9f937b5d5c84f4f03a156c60a1e836d2434