Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
21-11-2021 15:57
Behavioral task
behavioral1
Sample
Purchase Order no.202201EYL-01.exe
Resource
win7-en-20211104
General
-
Target
Purchase Order no.202201EYL-01.exe
-
Size
163KB
-
MD5
bf3176a88b749246b4294096531f97ca
-
SHA1
34ae702a189c937a26dd8066466d43a3ef756b61
-
SHA256
2ff3a8569873600f75e011be4ead5896a408672e43b15008679692557f6dc6c9
-
SHA512
a75d6c7e362c06ae248b830bd91ec75730116461e7f6bc93c16ffc7c619c7eff8282a83439fffdae31ea401e6629db31ef8d36f041d6c08f353a5758c09f3327
Malware Config
Extracted
xloader
2.5
46uq
http://www.jixelbbk.com/46uq/
spiritueleonlinetraining.online
jrpz86.com
dataxmart.com
zeogg.club
killiandooley.com
159studios.com
clginter.com
greenwirechicago.com
kennycheng.tech
carolyngracecoaching.com
cp-altodelamuela.com
amazonflowerjewelry.com
anseron.net
surplusqlxbjy.online
asasal.com
online-buy-now.com
kolab.today
statisticsacademy.com
dcupqiu.club
braxtynmi.xyz
bcw.today
stilteruimtes.online
etihadit.com
xihoatuoi.com
fetch-an-us-borrow-money.zone
yooliaphotography.com
ooaz2.xyz
ssss.host
impossiblegrow.com
neilserver.website
renewable-energy-products.com
daywestskincare.com
esmexport.com
carrofrance.com
xiaoxiaodao.club
sterlingmktg.com
txcyclerepair.com
embas.online
interpol-inter.com
piaohua66.com
jollyprime.com
urbanphonecase.com
parareda.net
bursadavarbursadanal.com
emresonfry.com
sharkfangs.com
beepboople.com
ordenmorgi.quest
bdqimeng666.top
workforma.com
vintageknollsapartments.com
alienguise.com
id-923783.space
scj-bos.com
polebear.website
pharmacyle.com
viridishelf.com
abros88.com
ocdpsych.com
gulfandinlandlimited.com
turkishqlxmpw.online
suddennnnnnnnnnnn14.xyz
copyshopetc.net
cursos24-7.online
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/864-60-0x00000000000B0000-0x00000000000D9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1740 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Purchase Order no.202201EYL-01.exewscript.exedescription pid process target process PID 1364 set thread context of 1276 1364 Purchase Order no.202201EYL-01.exe Explorer.EXE PID 864 set thread context of 1276 864 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Purchase Order no.202201EYL-01.exewscript.exepid process 1364 Purchase Order no.202201EYL-01.exe 1364 Purchase Order no.202201EYL-01.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe 864 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Purchase Order no.202201EYL-01.exewscript.exepid process 1364 Purchase Order no.202201EYL-01.exe 1364 Purchase Order no.202201EYL-01.exe 1364 Purchase Order no.202201EYL-01.exe 864 wscript.exe 864 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order no.202201EYL-01.exewscript.exedescription pid process Token: SeDebugPrivilege 1364 Purchase Order no.202201EYL-01.exe Token: SeDebugPrivilege 864 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Explorer.EXEwscript.exedescription pid process target process PID 1276 wrote to memory of 864 1276 Explorer.EXE wscript.exe PID 1276 wrote to memory of 864 1276 Explorer.EXE wscript.exe PID 1276 wrote to memory of 864 1276 Explorer.EXE wscript.exe PID 1276 wrote to memory of 864 1276 Explorer.EXE wscript.exe PID 864 wrote to memory of 1740 864 wscript.exe cmd.exe PID 864 wrote to memory of 1740 864 wscript.exe cmd.exe PID 864 wrote to memory of 1740 864 wscript.exe cmd.exe PID 864 wrote to memory of 1740 864 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-58-0x0000000000000000-mapping.dmp
-
memory/864-59-0x00000000007B0000-0x00000000007D6000-memory.dmpFilesize
152KB
-
memory/864-60-0x00000000000B0000-0x00000000000D9000-memory.dmpFilesize
164KB
-
memory/864-61-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/864-63-0x00000000008E0000-0x0000000000970000-memory.dmpFilesize
576KB
-
memory/1276-57-0x0000000006C30000-0x0000000006DA8000-memory.dmpFilesize
1.5MB
-
memory/1276-64-0x00000000073A0000-0x00000000074BC000-memory.dmpFilesize
1.1MB
-
memory/1364-56-0x0000000000270000-0x0000000000281000-memory.dmpFilesize
68KB
-
memory/1364-55-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1740-62-0x0000000000000000-mapping.dmp