Analysis
-
max time kernel
147s -
max time network
151s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
New order payment.exe
Resource
win7-en-20210920
General
-
Target
New order payment.exe
-
Size
248KB
-
MD5
0c301355b11c3bc570d18b02bb7c99d8
-
SHA1
b35295390555e6fc0b85d538dafbfb4cf8c68564
-
SHA256
77abd0b0f20b0ca86c241acf5d5d60188362e75213f894b7bea82c8f75a3c1b1
-
SHA512
a84f50ca4ab7f2e7d29388dfc3ddd152437ad049a0b61d30462f0a2fcfbc21e0810bd5851bcae172c613eebf8c4c70c5073c3f641beca700acaa6d35582b3e25
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3892-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3892-117-0x000000000041D4F0-mapping.dmp xloader behavioral2/memory/2644-125-0x0000000003390000-0x00000000033B9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
New order payment.exepid process 2636 New order payment.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New order payment.exeNew order payment.execmd.exedescription pid process target process PID 2636 set thread context of 3892 2636 New order payment.exe New order payment.exe PID 3892 set thread context of 3020 3892 New order payment.exe Explorer.EXE PID 2644 set thread context of 3020 2644 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
New order payment.execmd.exepid process 3892 New order payment.exe 3892 New order payment.exe 3892 New order payment.exe 3892 New order payment.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe 2644 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
New order payment.execmd.exepid process 3892 New order payment.exe 3892 New order payment.exe 3892 New order payment.exe 2644 cmd.exe 2644 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
New order payment.execmd.exedescription pid process Token: SeDebugPrivilege 3892 New order payment.exe Token: SeDebugPrivilege 2644 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
New order payment.exeExplorer.EXEcmd.exedescription pid process target process PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 2636 wrote to memory of 3892 2636 New order payment.exe New order payment.exe PID 3020 wrote to memory of 2644 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2644 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 2644 3020 Explorer.EXE cmd.exe PID 2644 wrote to memory of 3756 2644 cmd.exe cmd.exe PID 2644 wrote to memory of 3756 2644 cmd.exe cmd.exe PID 2644 wrote to memory of 3756 2644 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New order payment.exe"C:\Users\Admin\AppData\Local\Temp\New order payment.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New order payment.exe"C:\Users\Admin\AppData\Local\Temp\New order payment.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New order payment.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbBAC6.tmp\fsfowpfjd.dllMD5
6f6e2f6f2744b49b7b411448f0f3eb13
SHA1942cad5faa2ba6099414609f79b9d54a9b52919c
SHA25674650c5dcc320e98f88369fd97a4a84f7485160441aa1cc985d2912b3e0dfa00
SHA5128948c5c1b1010fa38d7be0d0c4ff159939ac44d320e2aea3c9709135ffd79507cd8efd1633dd04aa8efb26efd8ffa1a30a6830f106227d81e8085771d40ffe7b
-
memory/2644-125-0x0000000003390000-0x00000000033B9000-memory.dmpFilesize
164KB
-
memory/2644-122-0x0000000000000000-mapping.dmp
-
memory/2644-124-0x0000000000E90000-0x0000000000EE9000-memory.dmpFilesize
356KB
-
memory/2644-126-0x00000000033C0000-0x000000000350A000-memory.dmpFilesize
1.3MB
-
memory/2644-127-0x00000000039F0000-0x0000000003A80000-memory.dmpFilesize
576KB
-
memory/3020-121-0x0000000005E40000-0x0000000005F45000-memory.dmpFilesize
1.0MB
-
memory/3020-128-0x00000000062E0000-0x00000000063F7000-memory.dmpFilesize
1.1MB
-
memory/3756-123-0x0000000000000000-mapping.dmp
-
memory/3892-117-0x000000000041D4F0-mapping.dmp
-
memory/3892-120-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/3892-119-0x0000000000A90000-0x0000000000DB0000-memory.dmpFilesize
3.1MB
-
memory/3892-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB