Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Order-410692-pdf.pif.exe
Resource
win7-en-20211208
General
-
Target
Order-410692-pdf.pif.exe
-
Size
283KB
-
MD5
206826730fc880f75d51f38c2cd94561
-
SHA1
7d67331de09a33ffcdc8f3b174bedf049f79d2b9
-
SHA256
44b17de7c324ff60a195215bf1a73eb41febf731f86699848e68815db5978387
-
SHA512
f4878c0a31e0f7bdfce83f859a70c0b8fed605bfcab5a3e28b97824097989407ad08a30ca1fe8054211bfd7e34ee538160ffaad7b9bd0ffb4c94eba9515210fe
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2036-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1092-65-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Order-410692-pdf.pif.exepid process 1204 Order-410692-pdf.pif.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Order-410692-pdf.pif.exeOrder-410692-pdf.pif.execmd.exedescription pid process target process PID 1204 set thread context of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 2036 set thread context of 1208 2036 Order-410692-pdf.pif.exe Explorer.EXE PID 2036 set thread context of 1208 2036 Order-410692-pdf.pif.exe Explorer.EXE PID 1092 set thread context of 1208 1092 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Order-410692-pdf.pif.execmd.exepid process 2036 Order-410692-pdf.pif.exe 2036 Order-410692-pdf.pif.exe 2036 Order-410692-pdf.pif.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe 1092 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order-410692-pdf.pif.execmd.exepid process 2036 Order-410692-pdf.pif.exe 2036 Order-410692-pdf.pif.exe 2036 Order-410692-pdf.pif.exe 2036 Order-410692-pdf.pif.exe 1092 cmd.exe 1092 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-410692-pdf.pif.execmd.exedescription pid process Token: SeDebugPrivilege 2036 Order-410692-pdf.pif.exe Token: SeDebugPrivilege 1092 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Order-410692-pdf.pif.exeExplorer.EXEcmd.exedescription pid process target process PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1204 wrote to memory of 2036 1204 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1208 wrote to memory of 1092 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1092 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1092 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1092 1208 Explorer.EXE cmd.exe PID 1092 wrote to memory of 1820 1092 cmd.exe cmd.exe PID 1092 wrote to memory of 1820 1092 cmd.exe cmd.exe PID 1092 wrote to memory of 1820 1092 cmd.exe cmd.exe PID 1092 wrote to memory of 1820 1092 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiAFF0.tmp\vrgsug.dllMD5
7154ab5f13d8daf833ce0d0a2e7f56dd
SHA148109dbd99e1af21c61f3bc61eb9bc5ac4539b66
SHA2565a963e13de5bf55c526f7a07d3c6efaa4a3a196bf3d3f03d54d41eac76cc0019
SHA512876dac6caefd448613c635c33af6c0a8516f6586ed0fe4a2426129720eafb7d7fd917ac91f33b1238042422d99e37639f88a6c5343ce51c8280962187c2a00df
-
memory/1092-64-0x000000004AB20000-0x000000004AB6C000-memory.dmpFilesize
304KB
-
memory/1092-67-0x0000000001DF0000-0x0000000001E80000-memory.dmpFilesize
576KB
-
memory/1092-66-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1092-65-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1208-68-0x0000000006330000-0x00000000063EC000-memory.dmpFilesize
752KB
-
memory/1208-60-0x0000000005FC0000-0x00000000060C5000-memory.dmpFilesize
1.0MB
-
memory/1208-63-0x0000000003EB0000-0x0000000003F9C000-memory.dmpFilesize
944KB
-
memory/2036-58-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/2036-62-0x0000000000390000-0x00000000003A1000-memory.dmpFilesize
68KB
-
memory/2036-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2036-59-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/2036-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB