Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_pdf.exe
Resource
win7v20201028
General
-
Target
Purchase Order_pdf.exe
-
Size
519KB
-
MD5
b5e5802e37b01b3aa324090e4fc0af3a
-
SHA1
ad98482ee1e4c90d5ffc19b3ec4720a332f0800a
-
SHA256
f73c1a2549b119a5de3964cdcbbdbefbaca205e1f149b4d77688a92285b4d20b
-
SHA512
53fb3b2ed4552302ad3d24cf437bf8ed95a593fe2242bec5392983e64c1b602d45fca3d71033fbc0113b7fefb4a2f0d67b0d9a66bf5ada7da5c485e1ef64517b
Malware Config
Extracted
formbook
http://www.chuanxingtong.com/j5an/
xwwgj.com
release-paypal.com
investorshighway.com
maglex.info
chenangopistolpermit.com
thebihareye.com
sanjosemasks.com
foremanmotors.com
stadtstreicherin.com
9247pf.com
erenvincplatform.xyz
cushcaps.com
flatisteam.com
kojyouibennto.com
rahmatsuparman.com
vallyfades.online
metropitstop.com
shopasha.com
windycitycreditsolutions.com
uproxysite.com
californiabilling.com
theexgirlfriendpics.com
arnoldnaturalresources.com
gfeets.com
streamelemeants.com
academiadacocriacao.com
nselife.com
maratinsaat.info
deviurg.com
mrbalumba.com
joyfinancialservices.com
retriever-home.com
paydayonlineloanapplication.com
dchasers.net
mct.ltd
geisshaven.com
mdejgqbp.icu
mercifulhandshc.com
bmtxm.com
aulbalu.com
globuswarming.com
wolfpacktowingrecovery.com
empireofconsciousness.com
yosyoshop.com
l7zexitam.xyz
lendtitle.com
charmedlifeinteriors.com
aimtopshop.com
teramareprime.com
muenker.world
just-embrace.com
amazon-co-jp.world
fsjinhua.net
lungi.cloud
mysinglecam.com
hortenserolland.com
grouptripinsurance.com
aspiringeyephotos.com
shoesiin.com
oodi.club
shakhriyarmamedyarov.com
musiklotteriet.com
germanystablecoin.com
land-il.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-4-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1764-10-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1020 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order_pdf.exePurchase Order_pdf.exewuapp.exedescription pid process target process PID 804 set thread context of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 1988 set thread context of 1280 1988 Purchase Order_pdf.exe Explorer.EXE PID 1764 set thread context of 1280 1764 wuapp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Purchase Order_pdf.exewuapp.exepid process 1988 Purchase Order_pdf.exe 1988 Purchase Order_pdf.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe 1764 wuapp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Purchase Order_pdf.exePurchase Order_pdf.exewuapp.exepid process 804 Purchase Order_pdf.exe 1988 Purchase Order_pdf.exe 1988 Purchase Order_pdf.exe 1988 Purchase Order_pdf.exe 1764 wuapp.exe 1764 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order_pdf.exewuapp.exedescription pid process Token: SeDebugPrivilege 1988 Purchase Order_pdf.exe Token: SeDebugPrivilege 1764 wuapp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Purchase Order_pdf.exeExplorer.EXEwuapp.exedescription pid process target process PID 804 wrote to memory of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 804 wrote to memory of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 804 wrote to memory of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 804 wrote to memory of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 804 wrote to memory of 1988 804 Purchase Order_pdf.exe Purchase Order_pdf.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1280 wrote to memory of 1764 1280 Explorer.EXE wuapp.exe PID 1764 wrote to memory of 1020 1764 wuapp.exe cmd.exe PID 1764 wrote to memory of 1020 1764 wuapp.exe cmd.exe PID 1764 wrote to memory of 1020 1764 wuapp.exe cmd.exe PID 1764 wrote to memory of 1020 1764 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/804-2-0x0000000076C21000-0x0000000076C23000-memory.dmpFilesize
8KB
-
memory/1020-11-0x0000000000000000-mapping.dmp
-
memory/1280-7-0x0000000006B40000-0x0000000006CB7000-memory.dmpFilesize
1.5MB
-
memory/1280-14-0x0000000004950000-0x00000000049FB000-memory.dmpFilesize
684KB
-
memory/1764-8-0x0000000000000000-mapping.dmp
-
memory/1764-10-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1764-9-0x0000000000E90000-0x0000000000E9B000-memory.dmpFilesize
44KB
-
memory/1764-12-0x0000000000B30000-0x0000000000E33000-memory.dmpFilesize
3.0MB
-
memory/1764-13-0x00000000009A0000-0x0000000000A30000-memory.dmpFilesize
576KB
-
memory/1988-6-0x00000000001F0000-0x0000000000201000-memory.dmpFilesize
68KB
-
memory/1988-5-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/1988-4-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1988-3-0x000000000041D070-mapping.dmp