Overview

overview

10

Static

static

1

Order-6921...df.exe

windows7_x64

10

Order-6921...df.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order-69211841-pdf.exe

  • Size

    249KB

  • MD5

    2c0392385d0b38d1ee0a47c9d5bdec72

  • SHA1

    b259fe8edd2b6d9257e61fa39e89d324df60c070

  • SHA256

    7aa0e9cbf1f38bc13f59033198c94dc657236f15cda0359881edec87394defad

  • SHA512

    42715d604e74b2ee951df14174be7aee0054cd31b978ca6d6be50ebb0ae7264c115e253fda0c805d6f961014b4e582f3a9497320417c4d740c3caed9baab7fdb

Score
10/10
xloaderuar3loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Order-69211841-pdf.exe"
        3⤵
          PID:3972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nse4D34.tmp\ygvtqmwfxb.dll
      MD5

      036a613c76b9eec8d377109d7b44454c

      SHA1

      a4eae0a949874e038264bcb997cb728ebb5dd77d

      SHA256

      5706c4155dd436309f0e4f90f7535785e9dc598161df6fa6bfebe00a9f7dc992

      SHA512

      a2d652a94ac820980a22c4a04b72e6809fd65185ade823ec4e94437e01d86af29de800951f132978e6408bd5600ccd304cb9b49f61047c07accb0edcf7e58d14

      Download Submit
    • memory/1300-121-0x00000000010A0000-0x00000000014DF000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/1300-123-0x0000000004D30000-0x0000000005050000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1300-122-0x0000000000540000-0x0000000000569000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1300-124-0x00000000049F0000-0x0000000004B8C000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2556-116-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2556-117-0x0000000000970000-0x0000000000C90000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2556-119-0x00000000007D0000-0x0000000000961000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3056-120-0x0000000006550000-0x00000000066F4000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3056-125-0x0000000006310000-0x000000000641E000-memory.dmp
      Filesize

      1.1MB

      Download