Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe
-
Size
642KB
-
MD5
5f8b5e708fac3e104ce3ccfa9570e1bb
-
SHA1
4fa68f6cadcb8d54ebf700cc6105f3d601f56f83
-
SHA256
36c82bea7381b157879abc9aedfa192d05ed7a5735781fedd248000e1364bade
-
SHA512
ed2f0a4b4826accfeff0ca73aac71a05ea813b23e010750b4becaae6b6262fcd914ce09e6986290c9762063e35b657444ef137600c5b89aa44fe490a8f998953
Malware Config
Extracted
xloader
2.8
qm5s
0hik40Q3UhxPsw==
JISUEx3s7xDypTBW
i9pv35p8mq/efPnMnjc1
d4OyCX3u9cQP8Lg=
2BLgZcivstP+
pAC7/mJD57GtLrGkijZAM4GQ
oa5Jvt6QpWLmu4hJ7A==
zQh+7kjKwlHfu4hJ7A==
v7xT2kCqy/QN7sKJtRpBtXbvxmvJiZRxjA==
JR0YYed9qFflu4hJ7A==
ovXuQiQQExpJ43yWMufw6X0FblY+
TJrP8LKDiabXu7dZ8Q==
EWVThU33hz1SKSGFmuk=
U5hFmhXVHoMVpA==
DUAxo4ghz4lpeLBV5Zm2Cnbbzhw3
3EbjPYoyPdZ9SDxzAIvOlUCY
2AGmAHBX0neTLcX9lRt2xUTLiuNcRrw=
dGMClACgFTrpu4hJ7A==
S0XMDQKAN2zzlQ4oz4HOlUCY
IUfZIC6jOFTjvP6U8yd3Mw==
c7jBSz7ljkhl8U74FHZpcsQFblY+
5h9kyJhmh1Twej/dc0OFfkpMSA==
VdWLrJAzyRiAAq8=
IzIzYybUej1MJiGFmuk=
imsqGaMmMdNmBBvZYC0/MqxL7Q9hxpJ9
Ly4rb/NqXu1QSQLQ5A==
IRLRFnxFcTXYVJmOtvQ=
7eugIW3eAb5F2ugXO0TZfzQ=
Oz5AgG9CLsRW5N6Y8yd3Mw==
YqIqUN/Wzdc=
QHwQSwulu8A=
APkJWCsHRNfw
Jm7vbduCo0fZu4hJ7A==
QWQLV0m8RMQP8Lg=
x8QMYlcwRwWROfmpyCU8raXCaP4=
KF6X69WuzI0dqKTaBjY9raXCaP4=
e+DVHQvk24Ew+bpYeO3vCrwnHD5hxpJ9
FGFM6/e2/aS7SA3xiDQ9
N1NinRV6jZ2wQs3deESFfkpMSA==
6yqu3kpclKlKxqKsiuz1ckLNjuNcRrw=
cH4OY9Ws3Zwrj44Q9S0i
9fe41bVODNGutEZV
nMnQBYHt9cQP8Lg=
wPAkeHFccImZZ1GGIrGllzSVTjphxpJ9
XLwzaruvstP+
h65Zpp82yl57MnAjvHzOlUCY
KXj7oJJqaNrtdL0=
VHZ1sS+4uFf8qGkYK0TZfzQ=
HnIGgwnC6qBNHiGFmuk=
OoABbYdVT+6EHCvlc0uGfkpMSA==
jLwElI5BNEtlQChL5onOlUCY
qsbkBcOmxtwCmBIqz4HOlUCY
jpYAD0Y+UhxPsw==
+uwSfxYXHjNkJZQQ9S0i
6fIlnW7lsX8pwdKU8yd3Mw==
BvCPIbinO1uutEZV
hYxK3EfrCbtTztKZ8yd3Mw==
h5GExLaTUwYTivjMnjc1
+ev9X88SHoMVpA==
Q6Qzp+LQ5IEeG6hjgeE=
xcrB61/iHoMVpA==
Dw+wDWhG4KKzYvfMnjc1
RpIimPKbLe8W8Cu3AyJpKg==
GDpl8e7G2vwZN8RahjI9
leviathanfishingco.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/588-64-0x000000000041F670-mapping.dmp xloader behavioral1/memory/588-65-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/936-74-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/936-77-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XXWT4RXHU = "C:\\Program Files (x86)\\Xndilj\\vgajpqlwb.exe" svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exeAddInProcess32.exesvchost.exedescription pid process target process PID 2024 set thread context of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 588 set thread context of 1372 588 AddInProcess32.exe Explorer.EXE PID 936 set thread context of 1372 936 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Xndilj\vgajpqlwb.exe svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exeAddInProcess32.exesvchost.exepid process 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe 588 AddInProcess32.exe 588 AddInProcess32.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
AddInProcess32.exesvchost.exepid process 588 AddInProcess32.exe 588 AddInProcess32.exe 588 AddInProcess32.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe 936 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exeAddInProcess32.exesvchost.exedescription pid process Token: SeDebugPrivilege 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe Token: SeDebugPrivilege 588 AddInProcess32.exe Token: SeDebugPrivilege 936 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exeExplorer.EXEsvchost.exedescription pid process target process PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 2024 wrote to memory of 588 2024 SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe AddInProcess32.exe PID 1372 wrote to memory of 936 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 936 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 936 1372 Explorer.EXE svchost.exe PID 1372 wrote to memory of 936 1372 Explorer.EXE svchost.exe PID 936 wrote to memory of 1268 936 svchost.exe cmd.exe PID 936 wrote to memory of 1268 936 svchost.exe cmd.exe PID 936 wrote to memory of 1268 936 svchost.exe cmd.exe PID 936 wrote to memory of 1268 936 svchost.exe cmd.exe PID 936 wrote to memory of 1708 936 svchost.exe Firefox.exe PID 936 wrote to memory of 1708 936 svchost.exe Firefox.exe PID 936 wrote to memory of 1708 936 svchost.exe Firefox.exe PID 936 wrote to memory of 1708 936 svchost.exe Firefox.exe PID 936 wrote to memory of 1708 936 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.MSIL.Pretoria.1.32389.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-60-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/588-68-0x00000000005C0000-0x00000000005D1000-memory.dmpFilesize
68KB
-
memory/588-67-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/588-65-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/588-64-0x000000000041F670-mapping.dmp
-
memory/588-61-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/936-72-0x0000000000700000-0x0000000000708000-memory.dmpFilesize
32KB
-
memory/936-73-0x0000000000980000-0x0000000000C83000-memory.dmpFilesize
3.0MB
-
memory/936-77-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/936-75-0x00000000003C0000-0x0000000000450000-memory.dmpFilesize
576KB
-
memory/936-74-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/936-70-0x0000000000000000-mapping.dmp
-
memory/1268-71-0x0000000000000000-mapping.dmp
-
memory/1372-69-0x0000000007060000-0x00000000071A0000-memory.dmpFilesize
1.2MB
-
memory/1372-76-0x0000000004250000-0x00000000042F4000-memory.dmpFilesize
656KB
-
memory/1372-78-0x0000000004250000-0x00000000042F4000-memory.dmpFilesize
656KB
-
memory/2024-55-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/2024-54-0x0000000000CB0000-0x0000000000D54000-memory.dmpFilesize
656KB
-
memory/2024-59-0x0000000000CA0000-0x0000000000CA6000-memory.dmpFilesize
24KB
-
memory/2024-56-0x0000000000480000-0x00000000004B2000-memory.dmpFilesize
200KB
-
memory/2024-57-0x0000000000610000-0x0000000000626000-memory.dmpFilesize
88KB
-
memory/2024-58-0x0000000000B10000-0x0000000000B2A000-memory.dmpFilesize
104KB