Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 07:47
Static task
static1
Behavioral task
behavioral1
Sample
Order Confirmation with Invoice & Packing List.Pdf.exe
Resource
win7v20210408
General
-
Target
Order Confirmation with Invoice & Packing List.Pdf.exe
-
Size
559KB
-
MD5
91395b2b8907c3d08e2d6b4da9931a9c
-
SHA1
801c292d0673c8ec990fa9dab1ebaae122dbc552
-
SHA256
387508d9f7c0d79b09bde31b037d1c43ceb1ce799a0cc94a77a20226477b47f7
-
SHA512
0d95e0a195c1707c37cfecbe9d241f80935f25f1c8073eaa510c3ddd95c3deecd2e85f9ca5bb9387238935c78b29f164261da22e933aa2d65ccde1c7b3ea89eb
Malware Config
Extracted
xloader
2.5
ny9y
http://www.caddomain.com/ny9y/
prelovedboutiqe.com
zhantool.com
grypeguidgorge.com
aa6588.com
privateerspacecompany.space
phil-goodman.com
jckabogados.com
familybeautifull.com
probinns.com
angelika-fritz.online
mygeeb.com
481344.com
freesoft.pro
extracter.store
fasxpay.com
hnjxcd.com
wfot2002.com
worldexecutor.com
tongxintachangjia.com
zachtippit.com
press-fitness.com
thequantblockchain.com
chiseiko.com
syedaakanwal.online
awsumm.one
fdmetaverse.com
wakanet-shop.com
bratliebe.info
onlinegiftcards.xyz
clutchhealthperformance.com
woodcarveddoors.com
midatlanticbathremodel.com
1stwill.com
pandacoffeebrand.com
alternativeformicroplastics.com
e9gift.com
zefibar.com
cashyatra.com
thoracicsurgeondebate.com
littlebluestemcupcakes.com
jmarketinggroup.com
masterbook365.com
thetutorisin.com
eletro-laser.com
serpenttrading.com
honeymaroc.com
olinia.xyz
ils.network
laexpodreams.com
4ohmtf.info
iphone13.onl
rjforsec.com
nathanrundle.com
lepetiteimport.com
ggsp3.xyz
darkxfreegiveway.com
micomunidadcenter.com
deepscan3d.com
acaadjkhdakjkdh.xyz
c2batlrjmk56txloreu3241.com
digitalsuccess.life
xerochargeusa.com
smartlifeformulation.net
buywithagents.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2660-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2660-126-0x000000000041D470-mapping.dmp xloader behavioral2/memory/2816-135-0x00000000004E0000-0x0000000000509000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Confirmation with Invoice & Packing List.Pdf.exeOrder Confirmation with Invoice & Packing List.Pdf.exemsiexec.exedescription pid process target process PID 2072 set thread context of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2660 set thread context of 2648 2660 Order Confirmation with Invoice & Packing List.Pdf.exe Explorer.EXE PID 2816 set thread context of 2648 2816 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
Order Confirmation with Invoice & Packing List.Pdf.exemsiexec.exepid process 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe 2816 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2648 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order Confirmation with Invoice & Packing List.Pdf.exemsiexec.exepid process 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2660 Order Confirmation with Invoice & Packing List.Pdf.exe 2816 msiexec.exe 2816 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order Confirmation with Invoice & Packing List.Pdf.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2660 Order Confirmation with Invoice & Packing List.Pdf.exe Token: SeDebugPrivilege 2816 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order Confirmation with Invoice & Packing List.Pdf.exeExplorer.EXEmsiexec.exedescription pid process target process PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2072 wrote to memory of 2660 2072 Order Confirmation with Invoice & Packing List.Pdf.exe Order Confirmation with Invoice & Packing List.Pdf.exe PID 2648 wrote to memory of 2816 2648 Explorer.EXE msiexec.exe PID 2648 wrote to memory of 2816 2648 Explorer.EXE msiexec.exe PID 2648 wrote to memory of 2816 2648 Explorer.EXE msiexec.exe PID 2816 wrote to memory of 3752 2816 msiexec.exe cmd.exe PID 2816 wrote to memory of 3752 2816 msiexec.exe cmd.exe PID 2816 wrote to memory of 3752 2816 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Confirmation with Invoice & Packing List.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order Confirmation with Invoice & Packing List.Pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Confirmation with Invoice & Packing List.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order Confirmation with Invoice & Packing List.Pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order Confirmation with Invoice & Packing List.Pdf.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2072-117-0x0000000005DF0000-0x0000000005DF1000-memory.dmpFilesize
4KB
-
memory/2072-118-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2072-119-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/2072-120-0x0000000005C90000-0x0000000005CAD000-memory.dmpFilesize
116KB
-
memory/2072-121-0x00000000058F0000-0x0000000005DEE000-memory.dmpFilesize
5.0MB
-
memory/2072-122-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/2072-123-0x0000000008160000-0x00000000081C8000-memory.dmpFilesize
416KB
-
memory/2072-124-0x00000000081D0000-0x0000000008208000-memory.dmpFilesize
224KB
-
memory/2072-115-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/2648-129-0x0000000006A10000-0x0000000006B99000-memory.dmpFilesize
1.5MB
-
memory/2648-138-0x0000000006550000-0x0000000006652000-memory.dmpFilesize
1.0MB
-
memory/2660-126-0x000000000041D470-mapping.dmp
-
memory/2660-127-0x0000000001060000-0x0000000001380000-memory.dmpFilesize
3.1MB
-
memory/2660-128-0x0000000001380000-0x0000000001391000-memory.dmpFilesize
68KB
-
memory/2660-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2816-130-0x0000000000000000-mapping.dmp
-
memory/2816-133-0x0000000000C60000-0x0000000000C72000-memory.dmpFilesize
72KB
-
memory/2816-134-0x00000000043C0000-0x00000000046E0000-memory.dmpFilesize
3.1MB
-
memory/2816-135-0x00000000004E0000-0x0000000000509000-memory.dmpFilesize
164KB
-
memory/2816-137-0x00000000042B0000-0x0000000004340000-memory.dmpFilesize
576KB
-
memory/3752-136-0x0000000000000000-mapping.dmp