Overview

overview

10

Static

static

1

Order-EM71...df.exe

windows7_x64

10

Order-EM71...df.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order-EM7110509-pdf.exe

  • Size

    247KB

  • MD5

    6965c35c75220ac5a5d4f3ab46cf4363

  • SHA1

    e4691bf844e64f3f05dda96ab50f8875979f65d6

  • SHA256

    fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512

  • SHA512

    638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4

Score
10/10
xloaderuar3loaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1152
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"
        3⤵
          PID:3996

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsg446A.tmp\xaiwentf.dll
      MD5

      f954dce0a97de1d591dd5bfa6af38a40

      SHA1

      d69d81388d6b2e369d92de51ee01435e5d704c55

      SHA256

      556052a3dd28babc05a47ff3139ecbc56cc491748ecf23d2a7b9075e76220fd1

      SHA512

      cff07fee10090c3d2b376e9b616e43b835c8c066bf8efbcee5cc95a38fd026dede27241abb7885965c475a4f30b9af11b15b8747d5e7c2d8c860152125671eec

      Download Submit
    • memory/1152-122-0x0000000000170000-0x0000000000197000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1152-123-0x0000000002510000-0x0000000002539000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1152-124-0x0000000004610000-0x0000000004930000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1152-125-0x00000000042E0000-0x000000000446E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2756-116-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2756-119-0x0000000000AF0000-0x0000000000E10000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2756-120-0x0000000000950000-0x0000000000AEC000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3056-121-0x0000000005F80000-0x0000000006050000-memory.dmp
      Filesize

      832KB

      Download
    • memory/3056-126-0x0000000006550000-0x00000000066BA000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3064-117-0x00000000007B0000-0x00000000007B4000-memory.dmp
      Filesize

      16KB

      Download