Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe
Resource
win7-en-20210920
General
-
Target
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe
-
Size
252KB
-
MD5
0b042901cc8cebe4ad918f889d8928e0
-
SHA1
7f03f52d593e4fea5e13525d7e213cc950f3d84a
-
SHA256
a7acd97fcff334160640901d977010aa55397f5a6da375ab38bcb1622b800f7d
-
SHA512
87cc3b720ba5b0901963fdeee60254992931a4ea3cd36b2dcd1aeb886563e9e7c39619b5c17716557b2b6a652052c717d9314b724b5dc0b48f3e36ade0aa52f9
Malware Config
Extracted
xloader
2.5
noha
http://www.mglracing.com/noha/
iphone13promax.support
trailer-racks.xyz
overseaspoolservice.com
r2d2u.com
dawajeju.com
nextgenproxyvote.com
xn--vhqp8mm8dbtz.group
commonsenserisk.com
cmcqgxtyd.com
data2form.com
bois-applique.com
originallollipop.com
lj0008lj.net
spfldvaccineday.info
phalcosnusa.com
llcmastermachine.com
onlyforu14.rest
bestmarketingautomations.com
officialswitchmusic.com
thepretenseofjustice.com
authenticradio.net
standardizedsubmissions.com
aegnoshipping.com
478762.com
inclusionchecks.com
number-is-04.net
yyds9527.space
big-thought.com
controle2.email
groupninemed.com
fisworkdeck.com
imonbayazid.com
pixlrz.com
headlinebysmp.com
simulatefuck.com
efficientmother.com
wkshops22012.xyz
artehamburguer.com
beauallenpoetry.com
bonairemarathon.com
sprintfingers.com
ranbix.com
denghaoxin.club
jillianvansice.com
purpledge.com
mariadimitropoulou.com
surveyplanetgroup.tech
apocalyptoapertureserrature.net
cbd-cannabis.store
dirtcheapfire.com
xn--zbss74a16j.xn--czru2d
auth-appsgo.com
estchemdelat.space
kweeka.money
marketingtipsntricks.com
dayandwestbeauty.com
paddlercentral.com
nongminle.net
aodesai.store
evtasimaucretleri.com
micj7873.com
unarecord.com
zsnhviig.xyz
hallmark-transport.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1212-57-0x000000000041D490-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exepid process 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exedescription pid process target process PID 1268 set thread context of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exepid process 1212 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exedescription pid process target process PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe PID 1268 wrote to memory of 1212 1268 SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.25383.8915.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslB9AE.tmp\rqdcp.dllMD5
0359f847ad421a2e9d0879194d1080de
SHA1fd98a9d31ded0d01ddedeb8c53093700dd1bd219
SHA2567fb5b8a04ca80e571e54dfa7b74f0302011a1c7976d3b88a20656bb749a3d092
SHA512cd29f6c9d9d96f3b8b67d8771507600ba79fe6ce3709fba63fcf34caacbe653ef705b5b450b99218b87c3649d302c50c7b804758792a326282a0902de917c49f
-
memory/1212-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1212-57-0x000000000041D490-mapping.dmp
-
memory/1212-58-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1268-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB