Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-11-2021 12:49
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER 2021.exe
Resource
win7-en-20211104
General
-
Target
NEW ORDER 2021.exe
-
Size
307KB
-
MD5
e6bd805df7bb8a90503c4b1f5784bd3c
-
SHA1
51d0e6942ca0732c5a3f2e2876d9216236bfc178
-
SHA256
dd07d6d24f528663fa5cb854c523d5ba2b096a9b3dc23b466cef94355f0cdec9
-
SHA512
f715ddcf9c169cbb2073f7e80afc151c09605717202da13b3eb40841077c2bbbbea4b996b13ca31abd1d6f38e89e583de9c1db7ad908ff5245299e95cc0625a5
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3512-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3512-117-0x000000000041D4C0-mapping.dmp xloader behavioral2/memory/3512-122-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/592-127-0x0000000000BA0000-0x0000000000BC9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
NEW ORDER 2021.exepid process 3924 NEW ORDER 2021.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
NEW ORDER 2021.exeNEW ORDER 2021.exewlanext.exedescription pid process target process PID 3924 set thread context of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3512 set thread context of 3032 3512 NEW ORDER 2021.exe Explorer.EXE PID 3512 set thread context of 3032 3512 NEW ORDER 2021.exe Explorer.EXE PID 592 set thread context of 3032 592 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
NEW ORDER 2021.exewlanext.exepid process 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe 592 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
NEW ORDER 2021.exewlanext.exepid process 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 3512 NEW ORDER 2021.exe 592 wlanext.exe 592 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER 2021.exewlanext.exedescription pid process Token: SeDebugPrivilege 3512 NEW ORDER 2021.exe Token: SeDebugPrivilege 592 wlanext.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
NEW ORDER 2021.exeExplorer.EXEwlanext.exedescription pid process target process PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3924 wrote to memory of 3512 3924 NEW ORDER 2021.exe NEW ORDER 2021.exe PID 3032 wrote to memory of 592 3032 Explorer.EXE wlanext.exe PID 3032 wrote to memory of 592 3032 Explorer.EXE wlanext.exe PID 3032 wrote to memory of 592 3032 Explorer.EXE wlanext.exe PID 592 wrote to memory of 60 592 wlanext.exe cmd.exe PID 592 wrote to memory of 60 592 wlanext.exe cmd.exe PID 592 wrote to memory of 60 592 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsqB901.tmp\qyspb.dllMD5
22a23f902e2e0860cf41e1534461282d
SHA1290d37c360cbcd823a43be36b92d84cd2e69f9fe
SHA2567038059f5e4caa6f5c64129f562cc7d406859c66bf5cee59025c0afc7ca80c66
SHA512ad766d2d8ca97e8703ee93a7a0557d32909c7014ae3f438a9327d9b204f099ca83a5831b797a425393711075f3a773c662b4e21e13e7051ad093f0cefab65df6
-
memory/60-128-0x0000000000000000-mapping.dmp
-
memory/592-130-0x0000000003350000-0x00000000033E0000-memory.dmpFilesize
576KB
-
memory/592-129-0x00000000034F0000-0x0000000003810000-memory.dmpFilesize
3.1MB
-
memory/592-127-0x0000000000BA0000-0x0000000000BC9000-memory.dmpFilesize
164KB
-
memory/592-126-0x0000000001330000-0x0000000001347000-memory.dmpFilesize
92KB
-
memory/592-125-0x0000000000000000-mapping.dmp
-
memory/3032-124-0x0000000005E60000-0x0000000005FE5000-memory.dmpFilesize
1.5MB
-
memory/3032-121-0x0000000005BE0000-0x0000000005D76000-memory.dmpFilesize
1.6MB
-
memory/3032-131-0x00000000024C0000-0x0000000002566000-memory.dmpFilesize
664KB
-
memory/3512-123-0x0000000000A20000-0x0000000000A31000-memory.dmpFilesize
68KB
-
memory/3512-122-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3512-120-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/3512-119-0x0000000000A70000-0x0000000000D90000-memory.dmpFilesize
3.1MB
-
memory/3512-117-0x000000000041D4C0-mapping.dmp
-
memory/3512-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB