Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 02:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
-
Size
490KB
-
MD5
d310668e05d5cd2b883c7635b8478ac3
-
SHA1
ffe307ef53f4fc5f0d32309dd4193273dae58bdc
-
SHA256
770aee06bb2c48271eaaa6af3d44ac3c590f1a372007d1c92591ae65c053e682
-
SHA512
fd1275cbba17c27496a5e395699b7fea0e3478631613d861d16f68e3bc1e16d5ed3fc158af62f61a072a964cbd372885baaf518ae455c5c9614e9cee639f2198
-
SSDEEP
12288:DX942IWQ20shxEXFktUQDNGkkkkkkkkkkBWC/ZX6:L9lBhheVktUQDJ9
Malware Config
Extracted
xloader
2.6
zgtb
gabriellep.com
honghe4.xyz
anisaofrendas.com
happy-tile.com
thesulkies.com
international-ipo.com
tazeco.info
hhhzzz.xyz
vrmonster.xyz
theearthresidencia.com
sportape.xyz
elshadaibaterias.com
koredeiihibi.com
taxtaa.com
globalcityb.com
fxivcama.com
dagsmith.com
elmar-bhp.com
peakice.net
jhcdjewelry.com
moradagroup.tech
luminantentertainment.com
originalfatfrog.com
istanbulbahis239.com
digismart.cloud
egclass.com
video-raamsdonk.online
enjoyhavoc.online
elegantmuka.com
crememeup.store
gasgangllc.com
worldmarketking.com
johnywan.icu
ctxd089.com
vipbuy-my.com
cboelua.com
sitesv.com
7788tiepin.com
unionfound.com
freecrdditreport.com
symmetrya.online
thinoe.com
line-view.com
immobilien-mj.com
alignedmagic.com
mecontaisso.com
plumberbalanced.com
zhouwuxiawu.com
obokbusinessbootcamp.com
chance-lo.com
jujuskiny.com
kkrcrzyz.xyz
daquan168.com
groupeinvictuscorporation.com
leadswebhosting.com
payphelpcenter950851354.info
subvip60.site
ink-desk.com
luminaurascent.com
jivraj9india.com
topproroofer.com
nxteam.net
can-amexico.com
premhub.club
zs-yaoshi.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2008-138-0x0000000000400000-0x000000000042B000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exedescription pid process target process PID 3568 set thread context of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exeSecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exepid process 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe 2008 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe 2008 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exedescription pid process Token: SeDebugPrivilege 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exedescription pid process target process PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe PID 3568 wrote to memory of 2008 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2008-137-0x0000000000000000-mapping.dmp
-
memory/2008-138-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2008-139-0x00000000013D0000-0x000000000171A000-memory.dmpFilesize
3.3MB
-
memory/3568-132-0x0000000000FE0000-0x0000000001060000-memory.dmpFilesize
512KB
-
memory/3568-133-0x0000000005F40000-0x00000000064E4000-memory.dmpFilesize
5.6MB
-
memory/3568-134-0x0000000005A30000-0x0000000005AC2000-memory.dmpFilesize
584KB
-
memory/3568-135-0x0000000005AD0000-0x0000000005B6C000-memory.dmpFilesize
624KB
-
memory/3568-136-0x0000000007590000-0x000000000759A000-memory.dmpFilesize
40KB