Analysis
-
max time kernel
48s -
max time network
108s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 22:26
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7v20201028
General
-
Target
New Order.exe
-
Size
464KB
-
MD5
0024d9cde1a84611d54766483e965b83
-
SHA1
c2510602e2894aeb2882fb88b56b0240b068cbe3
-
SHA256
505d119d07ae831d54801a1a5c39320ec8bbeec8c4ad81f2b60e12ae25b88f8f
-
SHA512
88c2cb84c52cb77a97aac1ad6dfa8df7ec5f6ddfaa98151ceff84b8251d6fa35e5a396fd8ad1e64e401e9f2867afb8625fce0c8ae023875172a520014582b918
Malware Config
Extracted
xloader
http://www.magentos.info/za004/
meihebiotech.com
4clicksecurewipe.com
essentially-best.life
real-castings.com
ivetha.com
hczx618.com
1990sinsertcarddatabase.com
testdrive.digital
johanneroussy.com
lyhyzl.com
ajekj.com
mikima.site
tennisfaction.com
fwril.info
hancockinstituteofjazz.info
nespressoonline.com
zeehostonline.com
academychic.com
1nha.com
moneylinetees.online
aspiresystem.site
bosco-ink.com
brisbaneboardcompany.com
toolsfortradies.com
b-as.com
7888bct.com
czwjfx.com
collagenblu-marine-collagen.com
cryptofromlifeapp.com
urbcasuarinas.com
produktanalyse.com
anjuharleen.com
photographybookreview.com
stmarkcathedral.net
k2states.com
bestqualiti.com
agentvita.com
diversifiedfoodbrokers.net
meayow.com
purchaseandrefi.com
adultrealstories.com
hzditing.com
pendi-kimak2.com
driveesports.com
ilpallinodiarianna.com
iworkandsave.com
iamjaydr.com
meishimaishou.net
wiseroadservices.com
iris2skin.com
mixedroots.net
ctfx1.com
pioneergamesuk.com
1l1twouser.loan
interiorenergies.com
q-beez.info
wintrustlifefinance.com
jinshavip13.com
thecashed.com
astralpanda.co.uk
millennium-bronze.com
shopaboard.site
redirectshare.com
emiljazovko.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/572-14-0x000000000041C150-mapping.dmp xloader behavioral2/memory/572-16-0x0000000000380000-0x00000000003A7000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 572 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4760-9-0x0000000005870000-0x000000000587A000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 4760 set thread context of 572 4760 New Order.exe AddInProcess32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 640 572 WerFault.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
New Order.exeWerFault.exepid process 4760 New Order.exe 4760 New Order.exe 4760 New Order.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
New Order.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4760 New Order.exe Token: SeRestorePrivilege 640 WerFault.exe Token: SeBackupPrivilege 640 WerFault.exe Token: SeDebugPrivilege 640 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
New Order.exedescription pid process target process PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe PID 4760 wrote to memory of 572 4760 New Order.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/572-14-0x000000000041C150-mapping.dmp
-
memory/572-16-0x0000000000380000-0x00000000003A7000-memory.dmpFilesize
156KB
-
memory/640-17-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/4760-9-0x0000000005870000-0x000000000587A000-memory.dmpFilesize
40KB
-
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4760-10-0x00000000058A1000-0x00000000058A2000-memory.dmpFilesize
4KB
-
memory/4760-11-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/4760-12-0x0000000006380000-0x0000000006389000-memory.dmpFilesize
36KB
-
memory/4760-8-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/4760-7-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/4760-6-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/4760-5-0x0000000003280000-0x00000000032A5000-memory.dmpFilesize
148KB
-
memory/4760-3-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB