Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.32118.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.32118.exe
-
Size
273KB
-
MD5
c52ecabaed16aba5fac89d694e7508dc
-
SHA1
492c8828a332dbcc0f68d5ee5b17d9ae994b48c4
-
SHA256
276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80
-
SHA512
e8ab6c6c0388f879ba9b2a5628ba1d21b2a21c4c4d99dde017596e8107e5a439b840bc4e751e1af6444fd56046d7a567363aa1edb19d8094329c4324147d777f
Malware Config
Extracted
xloader
2.6
vweq
malang-media.com
mrsfence.com
lubetops.com
aitimedia.net
montecryptocapital.com
ahwmedia.com
bvmnc.site
bggearstore.com
bcsantacoloma.online
alltimephotography.com
santacruz-roofings.com
leaplifestyleenterprises.com
censovet.com
similkameenfarms.com
undisclosed.email
thetrinityco.com
rapiturs.com
jedlersdorf.info
mh7jk12e.xyz
flygurlblogwordpress.com
goodbaddesign.com
equipmentrentalpartyplus.com
ohyoutube.com
projetoarvore.com
2379.flights
implemedescribed.com
kreasinesia.com
ownitoffice.com
fortekofteacizyemeknerde.store
my-wh-webproject.com
518499.com
naples-us.com
tlrohio.com
kanchava.com
lcloudfindin.com
cybermatrix.tech
i6lqi.xyz
ebay-online-selling-24.com
afrisectelecoms.com
tiantian997.xyz
strategyvenues.com
marketnear.watch
thebrooklynyogi.com
sonikbuilder.online
voyagesconsulting.com
ledgel0ungers.com
youhadtobethere.biz
disabled-long.com
dental-implants-encounter.life
zydssq.com
livingwell.green
doumao334.xyz
moodysoot.online
licos.xyz
maqitashop.com
doroos.online
laikemiao.com
petrolverse.xyz
apostolicpraise.net
todaychance.com
helightville.com
st-john-fisher-school.com
agwly.com
dashop.pro
zxc3426.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/856-59-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/856-60-0x000000000041F280-mapping.dmp xloader behavioral1/memory/856-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1656-69-0x0000000000090000-0x00000000000BB000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.32118.execvtres.exemsiexec.exedescription pid process target process PID 1464 set thread context of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 856 set thread context of 1256 856 cvtres.exe Explorer.EXE PID 1656 set thread context of 1256 1656 msiexec.exe Explorer.EXE -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.32118.execvtres.exemsiexec.exepid process 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe 856 cvtres.exe 856 cvtres.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
cvtres.exemsiexec.exepid process 856 cvtres.exe 856 cvtres.exe 856 cvtres.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe 1656 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.32118.execvtres.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe Token: SeDebugPrivilege 856 cvtres.exe Token: SeDebugPrivilege 1656 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.32118.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1464 wrote to memory of 1672 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 1672 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 1672 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 1672 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 956 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 956 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 956 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 956 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 936 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 936 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 936 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 936 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1464 wrote to memory of 856 1464 SecuriteInfo.com.W32.AIDetectNet.01.32118.exe cvtres.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1656 1256 Explorer.EXE msiexec.exe PID 1656 wrote to memory of 964 1656 msiexec.exe Firefox.exe PID 1656 wrote to memory of 964 1656 msiexec.exe Firefox.exe PID 1656 wrote to memory of 964 1656 msiexec.exe Firefox.exe PID 1656 wrote to memory of 964 1656 msiexec.exe Firefox.exe PID 1656 wrote to memory of 964 1656 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.32118.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.32118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-64-0x0000000000150000-0x0000000000161000-memory.dmpFilesize
68KB
-
memory/856-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/856-57-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/856-63-0x00000000009C0000-0x0000000000CC3000-memory.dmpFilesize
3.0MB
-
memory/856-59-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/856-60-0x000000000041F280-mapping.dmp
-
memory/856-62-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1256-73-0x0000000002B50000-0x0000000002C1A000-memory.dmpFilesize
808KB
-
memory/1256-65-0x0000000006440000-0x0000000006582000-memory.dmpFilesize
1.3MB
-
memory/1256-72-0x0000000002B50000-0x0000000002C1A000-memory.dmpFilesize
808KB
-
memory/1464-55-0x0000000000520000-0x0000000000554000-memory.dmpFilesize
208KB
-
memory/1464-54-0x0000000001320000-0x0000000001368000-memory.dmpFilesize
288KB
-
memory/1656-66-0x0000000000000000-mapping.dmp
-
memory/1656-67-0x0000000075381000-0x0000000075383000-memory.dmpFilesize
8KB
-
memory/1656-68-0x0000000000FF0000-0x0000000001004000-memory.dmpFilesize
80KB
-
memory/1656-69-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1656-70-0x0000000002410000-0x0000000002713000-memory.dmpFilesize
3.0MB
-
memory/1656-71-0x0000000000A60000-0x0000000000AF0000-memory.dmpFilesize
576KB