Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
Order-711493-pdf.pif.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order-711493-pdf.pif.exe
Resource
win10v2004-en-20220113
General
-
Target
Order-711493-pdf.pif.exe
-
Size
296KB
-
MD5
7dc82eb8ad4d78c1fb2534eef4fb10fd
-
SHA1
a6f61ab9754a38151026dd6e94a97459723c8add
-
SHA256
32202111654172f16eab4a33849af61e651680218d44e657b719b56789976561
-
SHA512
7365a7a32a8c0227c70c93cc51a7a9235606af4c27acdceb531766dfad57b6f481f850b173f542c846d899f2172d60c8580f3febe3516d512500d3662fa92513
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/520-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/452-65-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1764 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Order-711493-pdf.pif.exepid process 1612 Order-711493-pdf.pif.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-711493-pdf.pif.exeOrder-711493-pdf.pif.exeexplorer.exedescription pid process target process PID 1612 set thread context of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 520 set thread context of 1200 520 Order-711493-pdf.pif.exe Explorer.EXE PID 452 set thread context of 1200 452 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
Order-711493-pdf.pif.exeexplorer.exepid process 520 Order-711493-pdf.pif.exe 520 Order-711493-pdf.pif.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe 452 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order-711493-pdf.pif.exeexplorer.exepid process 520 Order-711493-pdf.pif.exe 520 Order-711493-pdf.pif.exe 520 Order-711493-pdf.pif.exe 452 explorer.exe 452 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-711493-pdf.pif.exeexplorer.exedescription pid process Token: SeDebugPrivilege 520 Order-711493-pdf.pif.exe Token: SeDebugPrivilege 452 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Order-711493-pdf.pif.exeExplorer.EXEexplorer.exedescription pid process target process PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1612 wrote to memory of 520 1612 Order-711493-pdf.pif.exe Order-711493-pdf.pif.exe PID 1200 wrote to memory of 452 1200 Explorer.EXE explorer.exe PID 1200 wrote to memory of 452 1200 Explorer.EXE explorer.exe PID 1200 wrote to memory of 452 1200 Explorer.EXE explorer.exe PID 1200 wrote to memory of 452 1200 Explorer.EXE explorer.exe PID 452 wrote to memory of 1764 452 explorer.exe cmd.exe PID 452 wrote to memory of 1764 452 explorer.exe cmd.exe PID 452 wrote to memory of 1764 452 explorer.exe cmd.exe PID 452 wrote to memory of 1764 452 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-711493-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-711493-pdf.pif.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-711493-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-711493-pdf.pif.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-711493-pdf.pif.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy3304.tmp\klgtagbqxcl.dllMD5
099043310c3f814bd0fb860794a9a84a
SHA1621769796ca94414f7c219e0da65fa4a72549d33
SHA256ef99d64e0fba1adc021866b880b3b07c9ba523d9fda5766aa548304adaf97de5
SHA512c1d9a0ea9c1918a9efede6a67aa982ab68d6ce0fd3381d5a02ba89fd35f8fa317f9a7563cbd95d8d1c0ca651dae92ad67596f1dd2651c741e2596f9654fb70dc
-
memory/452-63-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/452-64-0x0000000000E80000-0x0000000001101000-memory.dmpFilesize
2.5MB
-
memory/452-65-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/452-66-0x0000000002510000-0x0000000002813000-memory.dmpFilesize
3.0MB
-
memory/452-67-0x0000000000A50000-0x0000000000AE0000-memory.dmpFilesize
576KB
-
memory/520-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/520-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/520-60-0x00000000002E0000-0x0000000000429000-memory.dmpFilesize
1.3MB
-
memory/1200-61-0x0000000007390000-0x00000000074BF000-memory.dmpFilesize
1.2MB
-
memory/1200-68-0x0000000006760000-0x000000000686E000-memory.dmpFilesize
1.1MB
-
memory/1612-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB