Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-02-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe
Resource
win7-en-20211208
General
-
Target
SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe
-
Size
42KB
-
MD5
ea07ec5ed571fe97232b71120ba5e71d
-
SHA1
70a5f54a056ceaa70e34ea37efd5f668e0360696
-
SHA256
3e744c3094645bf04cea5756fe54d7b04a32a59bed5d945ac4ccc9b06fb85ef5
-
SHA512
b840020b46a8ee4b1a54e20015c41221545e0776ebeb67db4e4175969a239630b771f239b183eebfbdc26f072cbfd4dfaeb583fad80e513e7da8d2d7fa18f5f6
Malware Config
Extracted
xloader
2.5
zqzw
laurentmathieu.com
nohohonndana.com
hhmc.info
shophallows.com
blazebunk.com
goodbridge.xyz
flakycloud.com
bakermckenziegroups.com
formation-adistance.com
lovingearthbotanicals.com
tbrservice.plus
heritagehousehotels.com
drwbuildersco.com
lacsghb.com
wain3x.com
dadreview.club
continiutycp.com
cockgirls.com
48mpt.xyz
033skz.xyz
gmconstructionlnc.com
ms-mint.com
aenrione.xyz
honxuan.com
snowmanvila.com
cig-online.com
valetvolley.com
bjsnft.com
bennystrom.com
flw.ink
clarissagrandiart.com
samfamstudio.com
pamschams.com
edgar-regale.com
combi-tech.tech
00xwq.online
eclipseconstrucciones.com
plick-click.com
dive.education
regenelis.com
blue-chipwordtoscan-today.info
xn--rsso51aevf65u.com
maonagrana.com
lucasdebatintrader.com
cassijohnson.com
roeten.online
into-concrete.xyz
motovip.store
floryfab.com
slkykq.com
vidyakala.com
stairwaystowealth.com
meganandbobbyprine.com
arestradings.com
emilyschlueter.com
platanin.com
hnhstudios.com
dmembutidos.com
dcassorealtor.com
megamobil.wien
001skz.xyz
5t45urfgurkhgbvkhbuh.com
a3hd.com
newmexicotruckwrecklawyers.com
trabaho-academy.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1900-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4396-144-0x0000000000640000-0x0000000000669000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeaspnet_compiler.execmmon32.exedescription pid process target process PID 2780 set thread context of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 1900 set thread context of 3032 1900 aspnet_compiler.exe Explorer.EXE PID 4396 set thread context of 3032 4396 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
aspnet_compiler.execmmon32.exepid process 1900 aspnet_compiler.exe 1900 aspnet_compiler.exe 1900 aspnet_compiler.exe 1900 aspnet_compiler.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe 4396 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_compiler.execmmon32.exepid process 1900 aspnet_compiler.exe 1900 aspnet_compiler.exe 1900 aspnet_compiler.exe 4396 cmmon32.exe 4396 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeaspnet_compiler.exesvchost.execmmon32.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe Token: SeDebugPrivilege 1900 aspnet_compiler.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeCreatePagefilePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeCreatePagefilePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeCreatePagefilePrivilege 1464 svchost.exe Token: SeDebugPrivilege 4396 cmmon32.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe Token: SeRestorePrivilege 4540 TiWorker.exe Token: SeSecurityPrivilege 4540 TiWorker.exe Token: SeBackupPrivilege 4540 TiWorker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 2780 wrote to memory of 1900 2780 SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe aspnet_compiler.exe PID 3032 wrote to memory of 4396 3032 Explorer.EXE cmmon32.exe PID 3032 wrote to memory of 4396 3032 Explorer.EXE cmmon32.exe PID 3032 wrote to memory of 4396 3032 Explorer.EXE cmmon32.exe PID 4396 wrote to memory of 3864 4396 cmmon32.exe cmd.exe PID 4396 wrote to memory of 3864 4396 cmmon32.exe cmd.exe PID 4396 wrote to memory of 3864 4396 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:3864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1464-142-0x000001C1A34B0000-0x000001C1A34B4000-memory.dmpFilesize
16KB
-
memory/1464-140-0x000001C1A0730000-0x000001C1A0740000-memory.dmpFilesize
64KB
-
memory/1464-141-0x000001C1A0790000-0x000001C1A07A0000-memory.dmpFilesize
64KB
-
memory/1900-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1900-137-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1900-136-0x0000000000FD0000-0x000000000131A000-memory.dmpFilesize
3.3MB
-
memory/1900-138-0x0000000000AD0000-0x0000000000AE1000-memory.dmpFilesize
68KB
-
memory/2780-131-0x0000000074EEE000-0x0000000074EEF000-memory.dmpFilesize
4KB
-
memory/2780-132-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/2780-133-0x0000000005EB0000-0x0000000005F4C000-memory.dmpFilesize
624KB
-
memory/2780-130-0x00000000007D0000-0x00000000007E0000-memory.dmpFilesize
64KB
-
memory/3032-139-0x0000000008440000-0x0000000008579000-memory.dmpFilesize
1.2MB
-
memory/3032-147-0x0000000008840000-0x00000000089C1000-memory.dmpFilesize
1.5MB
-
memory/4396-144-0x0000000000640000-0x0000000000669000-memory.dmpFilesize
164KB
-
memory/4396-143-0x0000000000B10000-0x0000000000B1C000-memory.dmpFilesize
48KB
-
memory/4396-145-0x0000000002520000-0x000000000286A000-memory.dmpFilesize
3.3MB
-
memory/4396-146-0x0000000002350000-0x00000000023E0000-memory.dmpFilesize
576KB