Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 06:28
Static task
static1
Behavioral task
behavioral1
Sample
Order List from Dunen Enterprise Corporation.exe
Resource
win7v20210408
General
-
Target
Order List from Dunen Enterprise Corporation.exe
-
Size
128KB
-
MD5
744d832006910318b2826e4cc8db4b11
-
SHA1
b58f485d5153dc4cb1a608091e1174d6fc966a4a
-
SHA256
e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
-
SHA512
2ef7a81389e03fe8cdaa42e39e9df842d811b87b97d50e915e01d8fa35e3eaa49f7aaa03aa5a534e3413a636d3bf011ff9774a4b5b2553fbecef24aa8425deb4
Malware Config
Extracted
xloader
2.3
hhse
http://www.mx-online-service.xyz/hhse/
gujranwala.city
peinture-san-deco.com
disvapes.com
tekst-sanderlei.com
veryfastsnail.com
yaqiong.net
onlinebingocenter.com
kenttreesurgery.com
berislavic.com
ecomemailspack.com
drgustavoteyssier.com
mayfieldslodge.com
qiubaolink.com
kevinkensik.com
boatmanagementexpert.com
dbylkov.com
griffin-designs.com
glowlikethis.com
fuckjules.com
lxqc6688.com
cduyechang.com
jintelcare.com
abdiscountplumbing.com
merrilllynchph.com
yuanxinlv.com
chinapuma.com
covertroyalty.com
grouphall.net
unikpixls.com
rbainlaw.com
bold2x.com
eventosav.com
copywritermeg.com
geeeknozoid.com
physio-schmid.com
bankofsavings.com
xzttzs.com
water-note.com
gutter-rutter.com
wallis-applications.com
aurora-graphics.com
justindoorsoccer.com
drivly.net
allonot.com
splashseltzer.com
sanctuarymarbella.com
fossickandfind.com
sari-2.com
luxedesignsinc.com
cowlickgin.com
anothergeorgia.life
mainstreetmarketlillington.com
vibe-communications.com
nextgenrs.net
kosurvival.com
uvinq.com
crenate-throe.info
weazing.net
mydreamit.world
shortandsweetorganizing.com
24bitpay-trade.com
qianniaofan.com
thepccafe.com
solucionesautomotrices.info
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4024-126-0x0000000000401000-0x0000000000541000-memory.dmp xloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Order List from Dunen Enterprise Corporation.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Order List from Dunen Enterprise Corporation.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exepid process 4016 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exedescription pid process target process PID 4016 set thread context of 4024 4016 Order List from Dunen Enterprise Corporation.exe Order List from Dunen Enterprise Corporation.exe PID 4024 set thread context of 3028 4024 Order List from Dunen Enterprise Corporation.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exepid process 4024 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exeOrder List from Dunen Enterprise Corporation.exepid process 4016 Order List from Dunen Enterprise Corporation.exe 4024 Order List from Dunen Enterprise Corporation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exedescription pid process Token: SeDebugPrivilege 4024 Order List from Dunen Enterprise Corporation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exepid process 4016 Order List from Dunen Enterprise Corporation.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Order List from Dunen Enterprise Corporation.exeExplorer.EXEdescription pid process target process PID 4016 wrote to memory of 4024 4016 Order List from Dunen Enterprise Corporation.exe Order List from Dunen Enterprise Corporation.exe PID 4016 wrote to memory of 4024 4016 Order List from Dunen Enterprise Corporation.exe Order List from Dunen Enterprise Corporation.exe PID 4016 wrote to memory of 4024 4016 Order List from Dunen Enterprise Corporation.exe Order List from Dunen Enterprise Corporation.exe PID 4016 wrote to memory of 4024 4016 Order List from Dunen Enterprise Corporation.exe Order List from Dunen Enterprise Corporation.exe PID 3028 wrote to memory of 3768 3028 Explorer.EXE chkdsk.exe PID 3028 wrote to memory of 3768 3028 Explorer.EXE chkdsk.exe PID 3028 wrote to memory of 3768 3028 Explorer.EXE chkdsk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"C:\Users\Admin\AppData\Local\Temp\Order List from Dunen Enterprise Corporation.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3028-129-0x0000000002E20000-0x0000000002EF6000-memory.dmpFilesize
856KB
-
memory/4016-121-0x0000000077870000-0x00000000779FE000-memory.dmpFilesize
1.6MB
-
memory/4016-122-0x0000000077870000-0x00000000779FE000-memory.dmpFilesize
1.6MB
-
memory/4016-116-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/4016-120-0x00007FFB9C4F0000-0x00007FFB9C6CB000-memory.dmpFilesize
1.9MB
-
memory/4024-119-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/4024-118-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/4024-123-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4024-125-0x0000000077870000-0x00000000779FE000-memory.dmpFilesize
1.6MB
-
memory/4024-124-0x00007FFB9C4F0000-0x00007FFB9C6CB000-memory.dmpFilesize
1.9MB
-
memory/4024-126-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/4024-127-0x000000001E820000-0x000000001EB40000-memory.dmpFilesize
3.1MB
-
memory/4024-128-0x000000001E620000-0x000000001E630000-memory.dmpFilesize
64KB
-
memory/4024-117-0x0000000000401574-mapping.dmp