Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe
-
Size
836KB
-
MD5
92ea516a4e27329ac0ef278dab2bfa76
-
SHA1
46e5db00e3f9a674208a51590aad707c2ffc03f8
-
SHA256
5dd3a0a56d55816a0ffa7a9f2feb75613a68bd2ba9f145bd69ea616e8b8c9c9e
-
SHA512
4ba4497ae441ff8879a6acaaef259915ead6021a058646c2726e77a87599b78d6dcc73879491f11b99d958388bcfff4b5c9f9eb9423bcda92a5c53df3a9789ba
-
SSDEEP
12288:aBoolbR462TDeI3BqjN23YNzH44kCYtAbmT:ae603g032U4kPtQmT
Malware Config
Extracted
formbook
6hsc
6cvqXARAGlgdnnbXYQ==
Mi4yZ8FULou6w26U2FDnEbA=
Xmx0bJmRZGL+O0RFfLFNN9AMdwn+
B0WNhyl4T2gWBIqE1VDnEbA=
DI2G9/sG/v6YIh42aQ==
0NTaAl90ZWYiGV/bT4U=
DWCuXrL23Cc3xdIG/0dT
fTbzys/dddqOVQ==
8ClrDFi3i+asgxBOnguhlQ==
YjOkWLSpXeqrXw==
gAIov8vbtv8vr8/tFSXvDULL7thokKA=
xMW2qsXay7xNkonR/zxPo939
xc38fRlgO2opnnbXYQ==
+o31vQlURJKmLUWfHlMq0Gjs
z6GwWxCSKJLJ
2pnQ5evpehAxUt4hd6pq9X71
2CmXDSU2DTmDR+Q=
WV9ScxFQID1V2glQnguhlQ==
L8UDlK65h9wJ7Zeb3VDnEbA=
Agb4LF2bRcDX
SqH75PsH3yxQYR9z3lDnEbA=
h8YG/pfpllgN+r7yaw==
cCpqkbfNqAI/WfJXnguhlQ==
s+knLMwJ3fmRZA0te6Fq9X71
EhYdPd0p8iFxPuI=
Wi4xZri3naA0D1/bT4U=
nWvXcvs9HV2udQo0
l/fjU21+WpE7EF/bT4U=
GZ+SIsMP7w6iAf8+L1pZ
D0mUUXV1P4eNVf9XnguhlQ==
oTlyZvhJFgfB4HVztxCp9Kk=
5PX7IsMQ9DmDR+Q=
dDuAscnFXeqrXw==
kmSrIrD5vxpKxeI2fgO8nw==
1GeVOGNjUmY5yswG/0dT
EYeAIppGt1Gtc/w=
LsHxiswT3tNdNN33H1hhwazaMPvCdA==
8aWkrlDKZrPQ
D4yEIMEI3Nl1QskAbaVndnt00+exZKCtyA==
c8P4ktkmB0ZjAzFCc6Bq9X71
RZnXfaxn0lGtc/w=
ZCMfpTiBVVbfW1ReZMWGoVjo
dMEMsfdKzzmDR+Q=
KTNhf5Ojhd76DKChnguhlQ==
JjlvzPs2/zmDR+Q=
xTIvy3C0XeqrXw==
RcI2ZrS+mIIO2Xub2VDnEbA=
NZOF7/3/499y1QchTG01NlzX8NhokKA=
HJ6Q/QcE2b1DUqrYPXtb
mGvXcvtFNm2Be98zao8=
zRlTSJogCy0=
X2NdecEGn5RLWg==
S4vjrkiPfql//AhBfgO8nw==
oaau7EVWQpAFV1dCc6Bq9X71
rfAaG8H+2xxRQL4BdbB6sJb/Fw==
mKvX7jB8WGcqsaefzfT9UdUMdwn+
WyObTpesZFkXGF/bT4U=
tT9IwOv0tghBx94Xg7d3sJb/Fw==
ApLQj6+9Y+q1+fA=
4bu35JDPqdinbaAG/0dT
xo36lTCBQCSn6gIjV55q9X71
hhFB3UqZbWQoX6TbREhRtajbMPvCdA==
9r7+aqu4oqJPzND+g5gzP27h8thokKA=
xZJ+dpq2XeqrXw==
vuongnudan.site
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/920-63-0x0000000000400000-0x000000000042D000-memory.dmp xloader behavioral1/memory/920-64-0x00000000004202C0-mapping.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exedescription pid process target process PID 1380 set thread context of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exepid process 920 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exedescription pid process target process PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe PID 1380 wrote to memory of 920 1380 SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FXSF.tr.7185.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/920-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/920-63-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/920-64-0x00000000004202C0-mapping.dmp
-
memory/920-65-0x0000000000AF0000-0x0000000000DF3000-memory.dmpFilesize
3.0MB
-
memory/1380-54-0x0000000000A10000-0x0000000000AE6000-memory.dmpFilesize
856KB
-
memory/1380-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-56-0x00000000004B0000-0x00000000004C6000-memory.dmpFilesize
88KB
-
memory/1380-57-0x00000000004C0000-0x00000000004CC000-memory.dmpFilesize
48KB
-
memory/1380-58-0x0000000007EE0000-0x0000000007F6C000-memory.dmpFilesize
560KB
-
memory/1380-59-0x0000000001EF0000-0x0000000001F22000-memory.dmpFilesize
200KB