Analysis
-
max time kernel
11s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Order-410692-pdf.pif.exe
Resource
win7-en-20211208
General
-
Target
Order-410692-pdf.pif.exe
-
Size
283KB
-
MD5
206826730fc880f75d51f38c2cd94561
-
SHA1
7d67331de09a33ffcdc8f3b174bedf049f79d2b9
-
SHA256
44b17de7c324ff60a195215bf1a73eb41febf731f86699848e68815db5978387
-
SHA512
f4878c0a31e0f7bdfce83f859a70c0b8fed605bfcab5a3e28b97824097989407ad08a30ca1fe8054211bfd7e34ee538160ffaad7b9bd0ffb4c94eba9515210fe
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1968-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Order-410692-pdf.pif.exepid process 1408 Order-410692-pdf.pif.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order-410692-pdf.pif.exedescription pid process target process PID 1408 set thread context of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Order-410692-pdf.pif.exedescription pid process target process PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe PID 1408 wrote to memory of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nso6282.tmp\vrgsug.dllMD5
7154ab5f13d8daf833ce0d0a2e7f56dd
SHA148109dbd99e1af21c61f3bc61eb9bc5ac4539b66
SHA2565a963e13de5bf55c526f7a07d3c6efaa4a3a196bf3d3f03d54d41eac76cc0019
SHA512876dac6caefd448613c635c33af6c0a8516f6586ed0fe4a2426129720eafb7d7fd917ac91f33b1238042422d99e37639f88a6c5343ce51c8280962187c2a00df
-
memory/1968-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB