Analysis
-
max time kernel
148s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 16:04
Static task
static1
Behavioral task
behavioral1
Sample
Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
Resource
win7v20210410
General
-
Target
Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
-
Size
252KB
-
MD5
f02f2961032796a25c7e090bb4f70566
-
SHA1
8c530a1533800db7d8dea165ea93421e2c996dad
-
SHA256
7a34064785bd677a927fa90988d9001aed285762f230d0fe08db7b2ca89ce987
-
SHA512
92df5ef56be6a6f5eeaeeb9b11559ca0a2960de9e7e0ba3a24308d603fa7be3375e41f7a618b6d02a4d7739b3ac75ba91203bf2ecfe963689539bc05dcdb0507
Malware Config
Extracted
xloader
2.3
http://www.skelligsseasafari.com/dzqd/
weekendsday.com
kansasfriedchiken.com
bestselfdrive.com
timeleveragechallenge.com
theunboxiblenation.net
adriaeurope-group.com
acrylicphotobloc.com
theincentivized.com
histreetbutler.com
kumamkt.com
cutepuppyspot.store
crisp-ui.com
easyecotour.com
longshotloungeenglewood.com
esotericclothingco.com
henglai58.com
handmadecircles.com
k9itsrk940aeq6.xyz
service-it-net.com
rt-p-c-14h9-1elk-jpzs.com
bellhavensodabay.com
allinonecup.com
clong-tech.com
youyouwuliu.com
howifuckedthisup.com
newsbow.com
ghanaforums.com
scottslondon.com
everyonelovesmomo.com
saborlatinoonlinetv.com
mrplumbergrayson.com
oneofakinddrafting.com
studentbackers.com
getawayspizza.com
ofhad.com
robertanthonyhmua.com
wynburgpharma.com
hqplaytvall.xyz
magetu.info
onewarriornation.faith
ayzulcreatives.com
domaine-bertheauville.com
globalrich.net
chapeloflovevegas.com
primefoodny.com
mirachristaclothing.com
tecnomkt.net
arianstyle.com
muzhik-seks.site
sodapc.com
noterii.com
aadvarkpublishing.com
eastneuknow.com
queencitysupper.com
ymzan.com
kronosftw.online
justqualityconstruction.com
infosupend.info
zshled.com
persylondon.com
andersonchristopher.com
flourishingcommons.com
alfonsodomecq.com
6cify-848.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1780-69-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1688 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-CNS Amura Precision Co., Ltd 9A210118KR.exeOrder-CNS Amura Precision Co., Ltd 9A210118KR.execontrol.exedescription pid process target process PID 1060 set thread context of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1416 set thread context of 1216 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Explorer.EXE PID 1780 set thread context of 1216 1780 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Order-CNS Amura Precision Co., Ltd 9A210118KR.execontrol.exepid process 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe 1780 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order-CNS Amura Precision Co., Ltd 9A210118KR.exeOrder-CNS Amura Precision Co., Ltd 9A210118KR.execontrol.exepid process 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe 1780 control.exe 1780 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-CNS Amura Precision Co., Ltd 9A210118KR.execontrol.exedescription pid process Token: SeDebugPrivilege 1416 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Token: SeDebugPrivilege 1780 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Order-CNS Amura Precision Co., Ltd 9A210118KR.exeExplorer.EXEcontrol.exedescription pid process target process PID 1060 wrote to memory of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1060 wrote to memory of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1060 wrote to memory of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1060 wrote to memory of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1060 wrote to memory of 1416 1060 Order-CNS Amura Precision Co., Ltd 9A210118KR.exe Order-CNS Amura Precision Co., Ltd 9A210118KR.exe PID 1216 wrote to memory of 1780 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 1780 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 1780 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 1780 1216 Explorer.EXE control.exe PID 1780 wrote to memory of 1688 1780 control.exe cmd.exe PID 1780 wrote to memory of 1688 1780 control.exe cmd.exe PID 1780 wrote to memory of 1688 1780 control.exe cmd.exe PID 1780 wrote to memory of 1688 1780 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1060-61-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1060-59-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1216-65-0x0000000006420000-0x000000000657B000-memory.dmpFilesize
1.4MB
-
memory/1216-73-0x0000000003A40000-0x0000000003AD5000-memory.dmpFilesize
596KB
-
memory/1416-63-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1416-64-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1416-60-0x000000000041D100-mapping.dmp
-
memory/1688-70-0x0000000000000000-mapping.dmp
-
memory/1780-66-0x0000000000000000-mapping.dmp
-
memory/1780-68-0x0000000000420000-0x000000000043F000-memory.dmpFilesize
124KB
-
memory/1780-69-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1780-71-0x00000000020C0000-0x00000000023C3000-memory.dmpFilesize
3.0MB
-
memory/1780-72-0x0000000000440000-0x00000000004CF000-memory.dmpFilesize
572KB