Overview
overview
10Static
static
Order.exe
windows7_x64
5Order.exe
windows10_x64
5????? ????...DF.exe
windows7_x64
10????? ????...DF.exe
windows10_x64
1087597.exe
windows7_x64
1087597.exe
windows10_x64
1029146c1ccd...70.exe
windows7_x64
729146c1ccd...70.exe
windows10_x64
72cc3b42957...8e.exe
windows7_x64
102cc3b42957...8e.exe
windows10_x64
10RICHIESTA ...TA.exe
windows7_x64
10RICHIESTA ...TA.exe
windows10_x64
1039c1e12e0a...25c.js
windows7_x64
139c1e12e0a...25c.js
windows10_x64
13f46e10e5f...3b.exe
windows7_x64
53f46e10e5f...3b.exe
windows10_x64
553074094ad...95dbec
linux_mipsel
685dce7a17...03.exe
windows7_x64
10685dce7a17...03.exe
windows10_x64
106c4aab4c3b...e2.exe
windows7_x64
106c4aab4c3b...e2.exe
windows10_x64
1073a52a4c60...c0.exe
windows7_x64
373a52a4c60...c0.exe
windows10_x64
3Inv_7623980.exe
windows7_x64
10Inv_7623980.exe
windows10_x64
108954739d96...a8.ps1
windows7_x64
88954739d96...a8.ps1
windows10_x64
8USD $.exe
windows7_x64
10USD $.exe
windows10_x64
1091d079d937...b9.exe
windows7_x64
91d079d937...b9.exe
windows10_x64
9706247fdb...89.exe
windows7_x64
Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-07-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
????? ?????? ????#454326_PDF.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
????? ?????? ????#454326_PDF.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
87597.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
87597.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
RICHIESTA DI OFFERTA.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
RICHIESTA DI OFFERTA.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win7v20210408
Behavioral task
behavioral14
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win10v20210410
Behavioral task
behavioral15
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
Resource
debian9-mipsel
Behavioral task
behavioral18
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win7v20210408
Behavioral task
behavioral19
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win7v20210408
Behavioral task
behavioral21
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win7v20210408
Behavioral task
behavioral23
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win10v20210410
Behavioral task
behavioral24
Sample
Inv_7623980.exe
Resource
win7v20210410
Behavioral task
behavioral25
Sample
Inv_7623980.exe
Resource
win10v20210408
Behavioral task
behavioral26
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win7v20210410
Behavioral task
behavioral27
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win10v20210408
Behavioral task
behavioral28
Sample
USD $.exe
Resource
win7v20210410
Behavioral task
behavioral29
Sample
USD $.exe
Resource
win10v20210408
Behavioral task
behavioral30
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win10v20210410
Behavioral task
behavioral32
Sample
9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89.exe
Resource
win7v20210408
General
-
Target
USD $.exe
-
Size
1.0MB
-
MD5
7098068c07032900ff073b55a8ad8e0b
-
SHA1
5bdda0bc06b935689f29d55b297d0523d82c6bfa
-
SHA256
2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
-
SHA512
c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39
Malware Config
Extracted
xloader
2.3
http://www.panyu-qqbaby.com/weni/
sdmdwang.com
konversationswithkoshie.net
carap.club
eagldeream.com
856380585.xyz
elgallocoffee.com
magetu.info
lovertons.com
theichallenge.com
advancedautorepairsonline.com
wingsstyling.info
tapdaugusta.com
wiloasbanhsgtarewdasc.solutions
donjrisdumb.com
experienceddoctor.com
cloverhillconsultants.com
underwear.show
karensgonewild2020.com
arodsr.com
thefucktardmanual.com
712kenwood.info
telecompink.com
ebizkendra.com
kitkatmp3.com
utformehagen.com
profitsnavigator.com
kathyharvey.com
tongaoffshore.com
vrpreservation.com
hy7128.com
nicolettejohnsonphotography.com
rating.travel
visualartcr.com
nationalbarista.com
lovecartoonforever.com
koimkt.com
directpractice.pro
blockchaincloud360.com
queverenbuenosaires.com
coachmyragolden.com
awree.com
facebookipl.com
rcheapwdbuy.com
trinspinsgreen.com
voxaide.com
ecorner.online
mattvickery.com
regarta.com
fknprfct.com
theessentialstore.net
sunilpsingh.com
ovtnywveba.club
optimalgafa.com
awdjob.info
humachem.com
southeasternsteakcompany.com
centerevents.net
warrenswindowcleans.co.uk
lebullterrier.com
thecxchecker.com
formerknown.com
pupbutler.com
tincanphones.com
tgeuuy.cool
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral29/memory/2016-124-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral29/memory/2016-125-0x000000000041D000-mapping.dmp xloader behavioral29/memory/640-132-0x0000000000E40000-0x0000000000E68000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
USD $.exeRegSvcs.exesvchost.exedescription pid process target process PID 656 set thread context of 2016 656 USD $.exe RegSvcs.exe PID 2016 set thread context of 3060 2016 RegSvcs.exe Explorer.EXE PID 640 set thread context of 3060 640 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
USD $.exeRegSvcs.exesvchost.exepid process 656 USD $.exe 656 USD $.exe 656 USD $.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exesvchost.exepid process 2016 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 640 svchost.exe 640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
USD $.exeRegSvcs.exesvchost.exedescription pid process Token: SeDebugPrivilege 656 USD $.exe Token: SeDebugPrivilege 2016 RegSvcs.exe Token: SeDebugPrivilege 640 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
USD $.exeExplorer.EXEsvchost.exedescription pid process target process PID 656 wrote to memory of 2276 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2276 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2276 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 656 wrote to memory of 2016 656 USD $.exe RegSvcs.exe PID 3060 wrote to memory of 640 3060 Explorer.EXE svchost.exe PID 3060 wrote to memory of 640 3060 Explorer.EXE svchost.exe PID 3060 wrote to memory of 640 3060 Explorer.EXE svchost.exe PID 640 wrote to memory of 772 640 svchost.exe cmd.exe PID 640 wrote to memory of 772 640 svchost.exe cmd.exe PID 640 wrote to memory of 772 640 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\USD $.exe"C:\Users\Admin\AppData\Local\Temp\USD $.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵PID:2276
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1868
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:772