Analysis
-
max time kernel
4s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 01:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
-
Size
256KB
-
MD5
169763f8e7731554cf5588290a6bc91e
-
SHA1
d7ae18ba8e1c5043a152bc29aef950c4b3841c3a
-
SHA256
0c5a22c770faa9a49feb2d8c881d51138f4892dad188e3391d345d0865e8953b
-
SHA512
2744e153948acfc48cf968674d43d964784588e6a3088f699b505f58afe2d86feaf9a4ba6365b2979353d1a2561a76c4fe07316ec67838a5b2b85855308ffb3c
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exepid process 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exedescription pid process target process PID 1632 set thread context of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exepid process 1172 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exepid process 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exedescription pid process target process PID 1632 wrote to memory of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe PID 1632 wrote to memory of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe PID 1632 wrote to memory of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe PID 1632 wrote to memory of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe PID 1632 wrote to memory of 1172 1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc4F49.tmp\o61oo6akr5hl9a.dllMD5
240c73004229183bda7377e68d714c75
SHA1952c60daad92a603e0e314c8ba13384fe9bdd8be
SHA2568be3fbc8b2a2136ac4d7b35d721a5ec6847161a8e6b4137a0c11a8594603c0df
SHA5124806f90bdbf16a8fdc0934383fda9052dba05ab3f21704131b5f683a74fef04aa723f1dd0638ffbceffd4e2e731f84c8b420d606e935e86be931e72326c90c88
-
memory/1172-63-0x000000000041D0C0-mapping.dmp
-
memory/1172-65-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1172-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1632-62-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB