Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 23:12
Static task
static1
Behavioral task
behavioral1
Sample
Order-69211841-pdf.exe
Resource
win7-en-20211208
General
-
Target
Order-69211841-pdf.exe
-
Size
249KB
-
MD5
2c0392385d0b38d1ee0a47c9d5bdec72
-
SHA1
b259fe8edd2b6d9257e61fa39e89d324df60c070
-
SHA256
7aa0e9cbf1f38bc13f59033198c94dc657236f15cda0359881edec87394defad
-
SHA512
42715d604e74b2ee951df14174be7aee0054cd31b978ca6d6be50ebb0ae7264c115e253fda0c805d6f961014b4e582f3a9497320417c4d740c3caed9baab7fdb
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2556-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1300-122-0x0000000000540000-0x0000000000569000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Order-69211841-pdf.exepid process 2780 Order-69211841-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-69211841-pdf.exeOrder-69211841-pdf.exeexplorer.exedescription pid process target process PID 2780 set thread context of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2556 set thread context of 3056 2556 Order-69211841-pdf.exe Explorer.EXE PID 1300 set thread context of 3056 1300 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Order-69211841-pdf.exeexplorer.exepid process 2556 Order-69211841-pdf.exe 2556 Order-69211841-pdf.exe 2556 Order-69211841-pdf.exe 2556 Order-69211841-pdf.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order-69211841-pdf.exeexplorer.exepid process 2556 Order-69211841-pdf.exe 2556 Order-69211841-pdf.exe 2556 Order-69211841-pdf.exe 1300 explorer.exe 1300 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-69211841-pdf.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2556 Order-69211841-pdf.exe Token: SeDebugPrivilege 1300 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order-69211841-pdf.exeExplorer.EXEexplorer.exedescription pid process target process PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 2780 wrote to memory of 2556 2780 Order-69211841-pdf.exe Order-69211841-pdf.exe PID 3056 wrote to memory of 1300 3056 Explorer.EXE explorer.exe PID 3056 wrote to memory of 1300 3056 Explorer.EXE explorer.exe PID 3056 wrote to memory of 1300 3056 Explorer.EXE explorer.exe PID 1300 wrote to memory of 3972 1300 explorer.exe cmd.exe PID 1300 wrote to memory of 3972 1300 explorer.exe cmd.exe PID 1300 wrote to memory of 3972 1300 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nse4D34.tmp\ygvtqmwfxb.dllMD5
036a613c76b9eec8d377109d7b44454c
SHA1a4eae0a949874e038264bcb997cb728ebb5dd77d
SHA2565706c4155dd436309f0e4f90f7535785e9dc598161df6fa6bfebe00a9f7dc992
SHA512a2d652a94ac820980a22c4a04b72e6809fd65185ade823ec4e94437e01d86af29de800951f132978e6408bd5600ccd304cb9b49f61047c07accb0edcf7e58d14
-
memory/1300-121-0x00000000010A0000-0x00000000014DF000-memory.dmpFilesize
4.2MB
-
memory/1300-123-0x0000000004D30000-0x0000000005050000-memory.dmpFilesize
3.1MB
-
memory/1300-122-0x0000000000540000-0x0000000000569000-memory.dmpFilesize
164KB
-
memory/1300-124-0x00000000049F0000-0x0000000004B8C000-memory.dmpFilesize
1.6MB
-
memory/2556-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2556-117-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB
-
memory/2556-119-0x00000000007D0000-0x0000000000961000-memory.dmpFilesize
1.6MB
-
memory/3056-120-0x0000000006550000-0x00000000066F4000-memory.dmpFilesize
1.6MB
-
memory/3056-125-0x0000000006310000-0x000000000641E000-memory.dmpFilesize
1.1MB