Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 02:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe
-
Size
385KB
-
MD5
f9b1312ac8ff70011ddbd11607c93d65
-
SHA1
4a94f5870ea9e181760548a3ca306e168a29af86
-
SHA256
66ddd2146468f179b633aa6f51de9e8905f3cb0726007e6f5c254a870e07fd1a
-
SHA512
635011bfbba11cefc2131877a0ef51caeb88aac5a38c33e9dc0dfba87c6673e85bed08384cccc76bfdc4c3cea22d953a455e3f687d2699fc9a55b744f68d9ea2
-
SSDEEP
6144:hBn7A5jMUCoQcDeFkAOPapOsFBUVIlnWD+a8m3qSimcHRZ7N5D:vrcMkAJnyVIFWD+aiSimg3D
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ndteryle.exendteryle.exepid process 4804 ndteryle.exe 4492 ndteryle.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ndteryle.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ndteryle.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ndteryle.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpmovprajuue = "C:\\Users\\Admin\\AppData\\Roaming\\vevuxssug\\ujybeowi.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ndteryle.exe\" C:\\Users\\Admin\\AppData\\Loca" ndteryle.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ndteryle.exendteryle.execmstp.exedescription pid process target process PID 4804 set thread context of 4492 4804 ndteryle.exe ndteryle.exe PID 4492 set thread context of 760 4492 ndteryle.exe Explorer.EXE PID 888 set thread context of 760 888 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ndteryle.execmstp.exepid process 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 760 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
ndteryle.exendteryle.execmstp.exepid process 4804 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 4492 ndteryle.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe 888 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ndteryle.execmstp.exedescription pid process Token: SeDebugPrivilege 4492 ndteryle.exe Token: SeDebugPrivilege 888 cmstp.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exendteryle.exeExplorer.EXEcmstp.exedescription pid process target process PID 2404 wrote to memory of 4804 2404 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 2404 wrote to memory of 4804 2404 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 2404 wrote to memory of 4804 2404 SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe ndteryle.exe PID 4804 wrote to memory of 4492 4804 ndteryle.exe ndteryle.exe PID 4804 wrote to memory of 4492 4804 ndteryle.exe ndteryle.exe PID 4804 wrote to memory of 4492 4804 ndteryle.exe ndteryle.exe PID 4804 wrote to memory of 4492 4804 ndteryle.exe ndteryle.exe PID 760 wrote to memory of 888 760 Explorer.EXE cmstp.exe PID 760 wrote to memory of 888 760 Explorer.EXE cmstp.exe PID 760 wrote to memory of 888 760 Explorer.EXE cmstp.exe PID 888 wrote to memory of 1280 888 cmstp.exe Firefox.exe PID 888 wrote to memory of 1280 888 cmstp.exe Firefox.exe PID 888 wrote to memory of 1280 888 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.829.1269.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"C:\Users\Admin\AppData\Local\Temp\ndteryle.exe" C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.as3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"C:\Users\Admin\AppData\Local\Temp\ndteryle.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lqvas.pkvFilesize
185KB
MD540807db09771d538ff90931d1d57521d
SHA164e2076ea18f5f8f4adaa923786b7bdc441106b3
SHA25681f9c727a1049cdbeef998ad98b58f0c7b401103db1bfbbd99cf2be8492356fb
SHA512e478f5849ea7a44287c8bc1ac05dc0905b4df7110598c5f700a0ef8f080d78b8d59f913b7bc976012bcf7655e36964a998168575938a51cfa9854542a2fdefa7
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ndteryle.exeFilesize
104KB
MD50c5f8d9d08895f59fe74455d145e0b6c
SHA1166eca0d136def18f42309f2010cd758c79f2912
SHA256eb609c776304e0c7056f7953663e7b626d9b7b88341795075c6af1f093f4b9f1
SHA51297a78a76ccd0b93f18af2224c8a63eb829b0c9ad142bdc50df3410c512ad6be620f707c3e9b808fdff3ff9fa2fc1a7b1279891ed5c696166ab90e95ee562a2a0
-
C:\Users\Admin\AppData\Local\Temp\ocnbvdevo.asFilesize
7KB
MD5b17e5c62bca52304eb649d424d1989c2
SHA1889c91ce68438793bdb6c78936c8cd6851599886
SHA2567b980f8e90494442b292fd15541bd3d21aa0aa3625161c653fa06845c6c07dc1
SHA512dd061cc63b51c88c9b0036cee9b4834475f7d9a235f238ae3fc381c2cfa647a66c113676b1bc878bc7c6f153604525c01a131fa7dc2bd0bed89583878371c5ac
-
memory/760-149-0x0000000002410000-0x0000000002510000-memory.dmpFilesize
1024KB
-
memory/760-151-0x0000000002410000-0x0000000002510000-memory.dmpFilesize
1024KB
-
memory/760-143-0x0000000007E40000-0x0000000007F9F000-memory.dmpFilesize
1.4MB
-
memory/888-150-0x0000000000410000-0x000000000043D000-memory.dmpFilesize
180KB
-
memory/888-148-0x00000000021A0000-0x000000000222F000-memory.dmpFilesize
572KB
-
memory/888-147-0x0000000002500000-0x000000000284A000-memory.dmpFilesize
3.3MB
-
memory/888-146-0x0000000000410000-0x000000000043D000-memory.dmpFilesize
180KB
-
memory/888-144-0x0000000000000000-mapping.dmp
-
memory/888-145-0x0000000000BE0000-0x0000000000BF6000-memory.dmpFilesize
88KB
-
memory/4492-137-0x0000000000000000-mapping.dmp
-
memory/4492-142-0x0000000000670000-0x0000000000680000-memory.dmpFilesize
64KB
-
memory/4492-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4492-141-0x0000000000AE0000-0x0000000000E2A000-memory.dmpFilesize
3.3MB
-
memory/4492-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4804-132-0x0000000000000000-mapping.dmp