Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 11:47
Static task
static1
Behavioral task
behavioral1
Sample
KBH-209294917.js
Resource
win7-en-20211104
General
-
Target
KBH-209294917.js
-
Size
473KB
-
MD5
262687b7aff644cea1a76fc57da4cc9f
-
SHA1
eaef6f314389d0462d3c59e7974f2dd39a219dc1
-
SHA256
800bd31c44aa12fd62c8068878f1cb6479143792b0b99750be64d3aca407e0e4
-
SHA512
fff886a0c970fd907447d1eacae20a795fe3f03e655fa4138dd79fe0976f6b6b9a3397d9803e57f767a3d1290dd613696a5b08fa9c6e93b47799fed75dd6a93b
Malware Config
Extracted
xloader
2.5
pzi0
http://www.buffstaff.com/pzi0/
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\neworder.exe xloader behavioral1/memory/564-65-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader C:\Users\Admin\AppData\Local\Temp\neworder.exe xloader -
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 5 940 wscript.exe 6 940 wscript.exe 7 940 wscript.exe 11 940 wscript.exe 15 940 wscript.exe 18 940 wscript.exe 23 940 wscript.exe 25 940 wscript.exe 29 940 wscript.exe 33 940 wscript.exe 38 940 wscript.exe 42 940 wscript.exe 46 940 wscript.exe 48 940 wscript.exe 51 940 wscript.exe 55 940 wscript.exe 58 940 wscript.exe 62 940 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
neworder.exepid process 436 neworder.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrnHLJzGwL.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrnHLJzGwL.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\yrnHLJzGwL.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
neworder.exehelp.exedescription pid process target process PID 436 set thread context of 1424 436 neworder.exe Explorer.EXE PID 564 set thread context of 1424 564 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
neworder.exehelp.exepid process 436 neworder.exe 436 neworder.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe 564 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
neworder.exehelp.exepid process 436 neworder.exe 436 neworder.exe 436 neworder.exe 564 help.exe 564 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
neworder.exehelp.exedescription pid process Token: SeDebugPrivilege 436 neworder.exe Token: SeDebugPrivilege 564 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeExplorer.EXEhelp.exedescription pid process target process PID 960 wrote to memory of 940 960 wscript.exe wscript.exe PID 960 wrote to memory of 940 960 wscript.exe wscript.exe PID 960 wrote to memory of 940 960 wscript.exe wscript.exe PID 960 wrote to memory of 436 960 wscript.exe neworder.exe PID 960 wrote to memory of 436 960 wscript.exe neworder.exe PID 960 wrote to memory of 436 960 wscript.exe neworder.exe PID 960 wrote to memory of 436 960 wscript.exe neworder.exe PID 1424 wrote to memory of 564 1424 Explorer.EXE help.exe PID 1424 wrote to memory of 564 1424 Explorer.EXE help.exe PID 1424 wrote to memory of 564 1424 Explorer.EXE help.exe PID 1424 wrote to memory of 564 1424 Explorer.EXE help.exe PID 564 wrote to memory of 952 564 help.exe cmd.exe PID 564 wrote to memory of 952 564 help.exe cmd.exe PID 564 wrote to memory of 952 564 help.exe cmd.exe PID 564 wrote to memory of 952 564 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\KBH-209294917.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrnHLJzGwL.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\neworder.exe"C:\Users\Admin\AppData\Local\Temp\neworder.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\neworder.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\neworder.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Local\Temp\neworder.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Roaming\yrnHLJzGwL.jsMD5
73d1bafce675155e28f529949a5a3e7e
SHA104a65ae70f58ccc50e17f5bc4551ec3c2db3ac5c
SHA256b6eaabbf65369350c121fc99ac123a62a24ffb0d10dd88cc4dda3eebb32444c1
SHA5124a9c5f9d09cdcbb31dd166478cfa03bf37894e11dbdbccb51730dfc975ddd5a3d9186df3bace89f56c479d67695f4844f538455f30590708e3f83ec077f05a35
-
memory/436-57-0x0000000000000000-mapping.dmp
-
memory/436-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/436-60-0x0000000000140000-0x0000000000151000-memory.dmpFilesize
68KB
-
memory/564-64-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/564-62-0x0000000000000000-mapping.dmp
-
memory/564-63-0x0000000000D10000-0x0000000000D16000-memory.dmpFilesize
24KB
-
memory/564-65-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/564-68-0x0000000000350000-0x00000000003E0000-memory.dmpFilesize
576KB
-
memory/940-55-0x0000000000000000-mapping.dmp
-
memory/952-67-0x0000000000000000-mapping.dmp
-
memory/1424-61-0x0000000006480000-0x000000000654A000-memory.dmpFilesize
808KB
-
memory/1424-69-0x0000000007220000-0x0000000007303000-memory.dmpFilesize
908KB