Analysis
-
max time kernel
152s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 02:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
-
Size
385KB
-
MD5
f9b1312ac8ff70011ddbd11607c93d65
-
SHA1
4a94f5870ea9e181760548a3ca306e168a29af86
-
SHA256
66ddd2146468f179b633aa6f51de9e8905f3cb0726007e6f5c254a870e07fd1a
-
SHA512
635011bfbba11cefc2131877a0ef51caeb88aac5a38c33e9dc0dfba87c6673e85bed08384cccc76bfdc4c3cea22d953a455e3f687d2699fc9a55b744f68d9ea2
-
SSDEEP
6144:hBn7A5jMUCoQcDeFkAOPapOsFBUVIlnWD+a8m3qSimcHRZ7N5D:vrcMkAJnyVIFWD+aiSimg3D
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 7 1356 msiexec.exe 8 1356 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
ndteryle.exendteryle.exepid process 1316 ndteryle.exe 1176 ndteryle.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ndteryle.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation ndteryle.exe -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exendteryle.exemsiexec.exepid process 1252 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe 1316 ndteryle.exe 1356 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ndteryle.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\fpmovprajuue = "C:\\Users\\Admin\\AppData\\Roaming\\vevuxssug\\ujybeowi.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ndteryle.exe\" C:\\Users\\Admin\\AppData\\Loca" ndteryle.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ndteryle.exendteryle.exemsiexec.exedescription pid process target process PID 1316 set thread context of 1176 1316 ndteryle.exe ndteryle.exe PID 1176 set thread context of 1228 1176 ndteryle.exe Explorer.EXE PID 1356 set thread context of 1228 1356 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
ndteryle.exemsiexec.exepid process 1176 ndteryle.exe 1176 ndteryle.exe 1176 ndteryle.exe 1176 ndteryle.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
ndteryle.exendteryle.exemsiexec.exepid process 1316 ndteryle.exe 1176 ndteryle.exe 1176 ndteryle.exe 1176 ndteryle.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ndteryle.exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1176 ndteryle.exe Token: SeDebugPrivilege 1356 msiexec.exe Token: SeShutdownPrivilege 1228 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exendteryle.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1252 wrote to memory of 1316 1252 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 1252 wrote to memory of 1316 1252 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 1252 wrote to memory of 1316 1252 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 1252 wrote to memory of 1316 1252 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 1316 wrote to memory of 1176 1316 ndteryle.exe ndteryle.exe PID 1316 wrote to memory of 1176 1316 ndteryle.exe ndteryle.exe PID 1316 wrote to memory of 1176 1316 ndteryle.exe ndteryle.exe PID 1316 wrote to memory of 1176 1316 ndteryle.exe ndteryle.exe PID 1316 wrote to memory of 1176 1316 ndteryle.exe ndteryle.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1228 wrote to memory of 1356 1228 Explorer.EXE msiexec.exe PID 1356 wrote to memory of 556 1356 msiexec.exe Firefox.exe PID 1356 wrote to memory of 556 1356 msiexec.exe Firefox.exe PID 1356 wrote to memory of 556 1356 msiexec.exe Firefox.exe PID 1356 wrote to memory of 556 1356 msiexec.exe Firefox.exe PID 1356 wrote to memory of 556 1356 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"C:\Users\Admin\AppData\Local\Temp\ndteryle.exe" C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lqvas.pkvFilesize
185KB
MD540807db09771d538ff90931d1d57521d
SHA164e2076ea18f5f8f4adaa923786b7bdc441106b3
SHA25681f9c727a1049cdbeef998ad98b58f0c7b401103db1bfbbd99cf2be8492356fb
SHA512e478f5849ea7a44287c8bc1ac05dc0905b4df7110598c5f700a0ef8f080d78b8d59f913b7bc976012bcf7655e36964a998168575938a51cfa9854542a2fdefa7
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.asFilesize
7KB
MD5b17e5c62bca52304eb649d424d1989c2
SHA1889c91ce68438793bdb6c78936c8cd6851599886
SHA2567b980f8e90494442b292fd15541bd3d21aa0aa3625161c653fa06845c6c07dc1
SHA512dd061cc63b51c88c9b0036cee9b4834475f7d9a235f238ae3fc381c2cfa647a66c113676b1bc878bc7c6f153604525c01a131fa7dc2bd0bed89583878371c5ac
-
\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
1.1MB
MD5f55e5766477de5997da50f12c9c74c91
SHA14dc98900a887be95411f07b9e597c57bdc7dbab3
SHA25690be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69
SHA512983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05
-
memory/1176-67-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/1176-69-0x00000000003B0000-0x00000000003C0000-memory.dmpFilesize
64KB
-
memory/1176-63-0x00000000004012B0-mapping.dmp
-
memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1176-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1176-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1228-77-0x0000000003C20000-0x0000000003CCE000-memory.dmpFilesize
696KB
-
memory/1228-70-0x0000000004C40000-0x0000000004DBF000-memory.dmpFilesize
1.5MB
-
memory/1228-79-0x0000000003C20000-0x0000000003CCE000-memory.dmpFilesize
696KB
-
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB
-
memory/1316-56-0x0000000000000000-mapping.dmp
-
memory/1356-71-0x0000000000000000-mapping.dmp
-
memory/1356-73-0x0000000000100000-0x0000000000114000-memory.dmpFilesize
80KB
-
memory/1356-74-0x0000000000120000-0x000000000014D000-memory.dmpFilesize
180KB
-
memory/1356-75-0x0000000002140000-0x0000000002443000-memory.dmpFilesize
3.0MB
-
memory/1356-76-0x0000000001E70000-0x0000000001EFF000-memory.dmpFilesize
572KB
-
memory/1356-78-0x0000000000120000-0x000000000014D000-memory.dmpFilesize
180KB