Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
New order.exe
Resource
win7v20210410
General
-
Target
New order.exe
-
Size
205KB
-
MD5
c30480523e2f0d910f78aea742cb9c3a
-
SHA1
1edfdb02b75931f824ee82640283671be10398b4
-
SHA256
2eb57ff3dfafc142e693dd878044f38cb02090cbef35246b2525d19abf0fbaf5
-
SHA512
ad5289ced6ec2757af225d7830cab9684ee6e2a00a2088626d29b1d100920fde69062932d351d9d4a946ca269f4ba89800ad2ba02c198940204f94584c63b94d
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1736-70-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
New order.exepid process 484 New order.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New order.exeNew order.exeNETSTAT.EXEdescription pid process target process PID 484 set thread context of 1980 484 New order.exe New order.exe PID 1980 set thread context of 1228 1980 New order.exe Explorer.EXE PID 1736 set thread context of 1228 1736 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1736 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
New order.exeNETSTAT.EXEpid process 1980 New order.exe 1980 New order.exe 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE 1736 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
New order.exeNew order.exeNETSTAT.EXEpid process 484 New order.exe 1980 New order.exe 1980 New order.exe 1980 New order.exe 1736 NETSTAT.EXE 1736 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
New order.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1980 New order.exe Token: SeDebugPrivilege 1736 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
New order.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 484 wrote to memory of 1980 484 New order.exe New order.exe PID 484 wrote to memory of 1980 484 New order.exe New order.exe PID 484 wrote to memory of 1980 484 New order.exe New order.exe PID 484 wrote to memory of 1980 484 New order.exe New order.exe PID 484 wrote to memory of 1980 484 New order.exe New order.exe PID 1228 wrote to memory of 1736 1228 Explorer.EXE NETSTAT.EXE PID 1228 wrote to memory of 1736 1228 Explorer.EXE NETSTAT.EXE PID 1228 wrote to memory of 1736 1228 Explorer.EXE NETSTAT.EXE PID 1228 wrote to memory of 1736 1228 Explorer.EXE NETSTAT.EXE PID 1736 wrote to memory of 1224 1736 NETSTAT.EXE cmd.exe PID 1736 wrote to memory of 1224 1736 NETSTAT.EXE cmd.exe PID 1736 wrote to memory of 1224 1736 NETSTAT.EXE cmd.exe PID 1736 wrote to memory of 1224 1736 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New order.exe"C:\Users\Admin\AppData\Local\Temp\New order.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New order.exe"C:\Users\Admin\AppData\Local\Temp\New order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New order.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx208C.tmp\dpra.dllMD5
3feb8ed49836d35cbab9f2bb9dfaa428
SHA1c2a418b93c0bb81ef62267bfed522250321791db
SHA25692dab948f60160d5aba56d2c8c30d83b0a7247ec4e3a8cccc74adb6ef799f051
SHA512fe765d282f7fa205a0661f62c6023d71d08818b400c2a20fd868b8c66fdbe5a62218b570292423c1dc02c8881610f3dde55ae7dbbd86b7df3ae2e46d447ed732
-
memory/484-61-0x0000000000500000-0x0000000000502000-memory.dmpFilesize
8KB
-
memory/484-59-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1224-68-0x0000000000000000-mapping.dmp
-
memory/1228-73-0x0000000004190000-0x0000000004281000-memory.dmpFilesize
964KB
-
memory/1228-66-0x0000000004D00000-0x0000000004E07000-memory.dmpFilesize
1.0MB
-
memory/1736-70-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1736-72-0x0000000001DC0000-0x0000000001E4F000-memory.dmpFilesize
572KB
-
memory/1736-69-0x00000000002C0000-0x00000000002C9000-memory.dmpFilesize
36KB
-
memory/1736-67-0x0000000000000000-mapping.dmp
-
memory/1736-71-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1980-62-0x000000000041D0C0-mapping.dmp
-
memory/1980-64-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/1980-65-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB