Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 09:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
-
Size
824KB
-
MD5
4575f347077760e1257159f74291fad0
-
SHA1
d65c9fa35db54403c42b2731f6c616317eb23b78
-
SHA256
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
-
SHA512
d238fead3b0efa0c6140f587b1d9ff9a9b7298189d6153a3d53aaeaa95b440807e9871ed60706e85c5f396f272ce6ab548184a0ba64c9f8e7b04300fed96936e
-
SSDEEP
12288:88xW3p8fe9EgNBWWJXVy20V0abqYU3K4j2X2Er5OxG2:8xCfe9EmLJlNIF3RXVr0G
Malware Config
Extracted
xloader
2.6
uj3c
copimetro.com
choonchain.com
luxxwireless.com
fashionweekofcincinnati.com
campingshare.net
suncochina.com
kidsfundoor.com
testingnyc.co
lovesoe.com
vehiclesbeenrecord.com
socialpearmarketing.com
maxproductdji.com
getallarticle.online
forummind.com
arenamarenostrum.com
trisuaka.xyz
designgamagazine.com
chateaulehotel.com
huangse5.com
esginvestment.tech
intercontinentalship.com
moneytaoism.com
agardenfortwo.com
trendiddas.com
fjuoomw.xyz
dantvilla.com
shopwithtrooperdavecom.com
lanwenzong.com
xpertsrealty.com
gamelabsmash.com
nomaxdic.com
chillyracing.com
mypleasure-blog.com
projectkyla.com
florurbana.com
oneplacemexico.com
gografic.com
giantht.com
dotombori-base.com
westlifinance.online
maacsecurity.com
lydas.info
instapandas.com
labustiadepaper.net
unglue52.com
onurnet.net
wellkept.info
6111.site
platinumroofingsusa.com
bodyplex.fitness
empireapothecary.com
meigsbuilds.online
garygrover.com
nicholasnikas.com
yd9992.com
protections-clients.info
sueyhzx.com
naturathome.info
superinformatico.net
printsgarden.com
xn--qn1b03fy2b841b.com
preferable.info
ozzyconstructionma.com
10stopp.online
nutricognition.com
Extracted
formbook
4.1
n7ak
wise-transfer.info
jam-nins.com
thebestsocialcrm.com
majomeow222.com
ancientshadowguilt.space
gentleman-china.com
parquemermoz.store
taxuw.com
sharqiyapaints.com
libraryofkath.com
1949wan.com
synqr.net
bitchessgirls.com
btonu.cfd
coding-bootcamps-16314.com
leadership22-tdh.site
maximsboutique.com
irishsummertruffles.com
sdnaqianchuan.com
uyews.xyz
mostvisitors.com
prembug.com
lebondtrip.com
villavouno.com
solanosotostudio.com
pbx1.website
littleeturtle.com
supremeajock.biz
turborings.run
parkpeninsula.online
goodstuff.tv
17qld.com
thehandycrewcompany.com
alwaystuesdaytacos.com
entribeworks.com
susanboyleinfo.com
volkovastyu.com
tradingmoja.com
germancompany-eg.com
gameofgem.com
hbdpcq.com
budsdesigns.com
sistemrizal.xyz
395boulderbrookdr.com
forounlock.com
cp2967.com
creatividadymedia.com
marocquadchallenge.com
tuktukwines.com
tripskorea.com
eyvonnesewingshop.com
1690.biz
perfectkick.website
jreengineering.tech
lilmeow.store
ttjsdispatchingllc.com
carltonellis.com
redantholdings.com
luxuryworkingfarms.com
appsecintelligence.com
studmate.online
imogenbot.store
netheerlandart.com
bikelegalkentucky.com
playdoapp.online
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3464-164-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/4224-166-0x0000000010410000-0x000000001043F000-memory.dmp formbook -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4268-132-0x00000000021C0000-0x00000000021EB000-memory.dmp modiloader_stage2 behavioral2/memory/3464-158-0x0000000002690000-0x00000000026BB000-memory.dmp modiloader_stage2 -
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4268-136-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/2824-138-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/4792-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmp xloader behavioral2/memory/4792-149-0x0000000000BC0000-0x0000000000BEB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 50 4792 cscript.exe -
Executes dropped EXE 1 IoCs
Processes:
-zvhy.exepid process 3464 -zvhy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
SecuriteInfo.com.Win32.TrojanX-gen.360.32285.execscript.exe-zvhy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Blxzzvfq = "C:\\Users\\Public\\Libraries\\qfvzzxlB.url" SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MJVHTBGXCLQ = "C:\\Program Files (x86)\\Bglr\\fpxxanhkv1tsdz.exe" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xithgxdv = "C:\\Users\\Public\\Libraries\\vdxghtiX.url" -zvhy.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
colorcpl.execscript.exewscript.exedescription pid process target process PID 2824 set thread context of 676 2824 colorcpl.exe Explorer.EXE PID 4792 set thread context of 676 4792 cscript.exe Explorer.EXE PID 4224 set thread context of 676 4224 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Bglr\fpxxanhkv1tsdz.exe cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
SecuriteInfo.com.Win32.TrojanX-gen.360.32285.execolorcpl.execscript.exe-zvhy.exewscript.exepid process 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe 2824 colorcpl.exe 2824 colorcpl.exe 2824 colorcpl.exe 2824 colorcpl.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 3464 -zvhy.exe 3464 -zvhy.exe 4224 wscript.exe 4792 cscript.exe 4792 cscript.exe 4224 wscript.exe 4224 wscript.exe 4224 wscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 676 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
colorcpl.execscript.exewscript.exepid process 2824 colorcpl.exe 2824 colorcpl.exe 2824 colorcpl.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4792 cscript.exe 4224 wscript.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
colorcpl.exeExplorer.EXEcscript.exewscript.exedescription pid process Token: SeDebugPrivilege 2824 colorcpl.exe Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeDebugPrivilege 4792 cscript.exe Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeDebugPrivilege 4224 wscript.exe Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exeExplorer.EXEcscript.exe-zvhy.exedescription pid process target process PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 4268 wrote to memory of 2824 4268 SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe colorcpl.exe PID 676 wrote to memory of 4792 676 Explorer.EXE cscript.exe PID 676 wrote to memory of 4792 676 Explorer.EXE cscript.exe PID 676 wrote to memory of 4792 676 Explorer.EXE cscript.exe PID 4792 wrote to memory of 4712 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 4712 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 4712 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 1560 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 1560 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 1560 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 220 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 220 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 220 4792 cscript.exe cmd.exe PID 4792 wrote to memory of 3416 4792 cscript.exe Firefox.exe PID 4792 wrote to memory of 3416 4792 cscript.exe Firefox.exe PID 4792 wrote to memory of 3416 4792 cscript.exe Firefox.exe PID 4792 wrote to memory of 3464 4792 cscript.exe -zvhy.exe PID 4792 wrote to memory of 3464 4792 cscript.exe -zvhy.exe PID 4792 wrote to memory of 3464 4792 cscript.exe -zvhy.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 3464 wrote to memory of 4224 3464 -zvhy.exe wscript.exe PID 676 wrote to memory of 3488 676 Explorer.EXE help.exe PID 676 wrote to memory of 3488 676 Explorer.EXE help.exe PID 676 wrote to memory of 3488 676 Explorer.EXE help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\-zvhy.exe"C:\Users\Admin\AppData\Local\Temp\-zvhy.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0AB67BD4882FB0E09822529CFEB33A58Filesize
926B
MD54cba44f3f001d431f7e49270bd0f6db4
SHA1dc75ec40f389866eacf0140c44f53f3947e72541
SHA2560dfd9c9d1c4f7dea9adfe3ef6070c02d50cbf5f33f304ecc98a0ab89a346d7fe
SHA5122c227ff133ef2838a246161a2e53ee657d0af9512b71cdf7d27627faecfde23ea2a499e3a9f0350775f4f8eb5cdcda96a85020bfb818f48d78c6e5f2b73d7ec2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0AB67BD4882FB0E09822529CFEB33A58Filesize
246B
MD58bfc79346387a4fae273ae726ebebe4e
SHA1bfec66e4110d35d1ac7cdd3e428d51b290678ce9
SHA256ad02e36a372a64b08b4ccb3f8f677abf8596aab746680964907399dfe12289f8
SHA5125cffc88a1a2aac8a3f547219de308c02c25a6579e497733b0b4487331a72f9cd3698ed6987d9cb999af7f6de2dcfc4c9b829ebcc2719f54aa8e8fcd5efe171e1
-
C:\Users\Admin\AppData\Local\Temp\-zvhy.exeFilesize
719KB
MD55cfcd1cb21be63288522804b0bf41e78
SHA1221718e1e08511927c854e3a140771b42c51b22c
SHA256c15b967e4707686feb6123a348cdec350dbc73c53a77b454fb046fa24296a880
SHA51239f050484d9e30d9770ba035f13f245004515ad563bdd6bd0ad6ebce0f531f68607b006fc4c1aecd975824bb588081efc879a53c306a06bf334773f82880a76c
-
C:\Users\Admin\AppData\Local\Temp\-zvhy.exeFilesize
719KB
MD55cfcd1cb21be63288522804b0bf41e78
SHA1221718e1e08511927c854e3a140771b42c51b22c
SHA256c15b967e4707686feb6123a348cdec350dbc73c53a77b454fb046fa24296a880
SHA51239f050484d9e30d9770ba035f13f245004515ad563bdd6bd0ad6ebce0f531f68607b006fc4c1aecd975824bb588081efc879a53c306a06bf334773f82880a76c
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
memory/220-153-0x0000000000000000-mapping.dmp
-
memory/676-141-0x0000000002790000-0x00000000028F2000-memory.dmpFilesize
1.4MB
-
memory/676-169-0x0000000007B80000-0x0000000007D12000-memory.dmpFilesize
1.6MB
-
memory/676-170-0x0000000007B80000-0x0000000007D12000-memory.dmpFilesize
1.6MB
-
memory/676-148-0x0000000007AC0000-0x0000000007B75000-memory.dmpFilesize
724KB
-
memory/676-150-0x0000000007AC0000-0x0000000007B75000-memory.dmpFilesize
724KB
-
memory/1560-151-0x0000000000000000-mapping.dmp
-
memory/2824-140-0x0000000005140000-0x0000000005151000-memory.dmpFilesize
68KB
-
memory/2824-139-0x00000000051B0000-0x00000000054FA000-memory.dmpFilesize
3.3MB
-
memory/2824-138-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/2824-134-0x0000000000000000-mapping.dmp
-
memory/3464-158-0x0000000002690000-0x00000000026BB000-memory.dmpFilesize
172KB
-
memory/3464-164-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3464-155-0x0000000000000000-mapping.dmp
-
memory/3464-163-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4224-168-0x0000000003AD0000-0x0000000003AE4000-memory.dmpFilesize
80KB
-
memory/4224-167-0x0000000003B40000-0x0000000003E8A000-memory.dmpFilesize
3.3MB
-
memory/4224-166-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4224-162-0x0000000000000000-mapping.dmp
-
memory/4268-135-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/4268-136-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/4268-132-0x00000000021C0000-0x00000000021EB000-memory.dmpFilesize
172KB
-
memory/4712-143-0x0000000000000000-mapping.dmp
-
memory/4792-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmpFilesize
172KB
-
memory/4792-142-0x0000000000000000-mapping.dmp
-
memory/4792-144-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/4792-149-0x0000000000BC0000-0x0000000000BEB000-memory.dmpFilesize
172KB
-
memory/4792-146-0x0000000002F50000-0x000000000329A000-memory.dmpFilesize
3.3MB
-
memory/4792-147-0x0000000002D80000-0x0000000002E10000-memory.dmpFilesize
576KB