Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
Order-EM7110509-pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order-EM7110509-pdf.exe
Resource
win10-en-20211208
General
-
Target
Order-EM7110509-pdf.exe
-
Size
247KB
-
MD5
6965c35c75220ac5a5d4f3ab46cf4363
-
SHA1
e4691bf844e64f3f05dda96ab50f8875979f65d6
-
SHA256
fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
-
SHA512
638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2756-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1152-123-0x0000000002510000-0x0000000002539000-memory.dmp xloader behavioral2/memory/1152-125-0x00000000042E0000-0x000000000446E000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LJTPX = "C:\\Program Files (x86)\\Ei6gt\\1bzxohsh0nuhzlx.exe" cscript.exe -
Loads dropped DLL 1 IoCs
Processes:
Order-EM7110509-pdf.exepid process 3064 Order-EM7110509-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-EM7110509-pdf.exeOrder-EM7110509-pdf.execscript.exedescription pid process target process PID 3064 set thread context of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 2756 set thread context of 3056 2756 Order-EM7110509-pdf.exe Explorer.EXE PID 1152 set thread context of 3056 1152 cscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Ei6gt\1bzxohsh0nuhzlx.exe cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Order-EM7110509-pdf.execscript.exepid process 2756 Order-EM7110509-pdf.exe 2756 Order-EM7110509-pdf.exe 2756 Order-EM7110509-pdf.exe 2756 Order-EM7110509-pdf.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order-EM7110509-pdf.execscript.exepid process 2756 Order-EM7110509-pdf.exe 2756 Order-EM7110509-pdf.exe 2756 Order-EM7110509-pdf.exe 1152 cscript.exe 1152 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-EM7110509-pdf.execscript.exedescription pid process Token: SeDebugPrivilege 2756 Order-EM7110509-pdf.exe Token: SeDebugPrivilege 1152 cscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order-EM7110509-pdf.exeExplorer.EXEcscript.exedescription pid process target process PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3064 wrote to memory of 2756 3064 Order-EM7110509-pdf.exe Order-EM7110509-pdf.exe PID 3056 wrote to memory of 1152 3056 Explorer.EXE cscript.exe PID 3056 wrote to memory of 1152 3056 Explorer.EXE cscript.exe PID 3056 wrote to memory of 1152 3056 Explorer.EXE cscript.exe PID 1152 wrote to memory of 3996 1152 cscript.exe cmd.exe PID 1152 wrote to memory of 3996 1152 cscript.exe cmd.exe PID 1152 wrote to memory of 3996 1152 cscript.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-EM7110509-pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsg446A.tmp\xaiwentf.dllMD5
f954dce0a97de1d591dd5bfa6af38a40
SHA1d69d81388d6b2e369d92de51ee01435e5d704c55
SHA256556052a3dd28babc05a47ff3139ecbc56cc491748ecf23d2a7b9075e76220fd1
SHA512cff07fee10090c3d2b376e9b616e43b835c8c066bf8efbcee5cc95a38fd026dede27241abb7885965c475a4f30b9af11b15b8747d5e7c2d8c860152125671eec
-
memory/1152-122-0x0000000000170000-0x0000000000197000-memory.dmpFilesize
156KB
-
memory/1152-123-0x0000000002510000-0x0000000002539000-memory.dmpFilesize
164KB
-
memory/1152-124-0x0000000004610000-0x0000000004930000-memory.dmpFilesize
3.1MB
-
memory/1152-125-0x00000000042E0000-0x000000000446E000-memory.dmpFilesize
1.6MB
-
memory/2756-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2756-119-0x0000000000AF0000-0x0000000000E10000-memory.dmpFilesize
3.1MB
-
memory/2756-120-0x0000000000950000-0x0000000000AEC000-memory.dmpFilesize
1.6MB
-
memory/3056-121-0x0000000005F80000-0x0000000006050000-memory.dmpFilesize
832KB
-
memory/3056-126-0x0000000006550000-0x00000000066BA000-memory.dmpFilesize
1.4MB
-
memory/3064-117-0x00000000007B0000-0x00000000007B4000-memory.dmpFilesize
16KB