Analysis
-
max time kernel
159s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 06:37
Static task
static1
Behavioral task
behavioral1
Sample
Order-8011964-pdf.exe
Resource
win7-en-20211208
General
-
Target
Order-8011964-pdf.exe
-
Size
246KB
-
MD5
e15ae6b598e9b227a07a09056570afd6
-
SHA1
46b5a6c316570f75be5f9732ece769547d431e39
-
SHA256
2c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
-
SHA512
9648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3520-118-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3584-124-0x0000000000B10000-0x0000000000B39000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Order-8011964-pdf.exepid process 2664 Order-8011964-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-8011964-pdf.exeOrder-8011964-pdf.exeexplorer.exedescription pid process target process PID 2664 set thread context of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 3520 set thread context of 3064 3520 Order-8011964-pdf.exe Explorer.EXE PID 3584 set thread context of 3064 3584 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Order-8011964-pdf.exeexplorer.exepid process 3520 Order-8011964-pdf.exe 3520 Order-8011964-pdf.exe 3520 Order-8011964-pdf.exe 3520 Order-8011964-pdf.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order-8011964-pdf.exeexplorer.exepid process 3520 Order-8011964-pdf.exe 3520 Order-8011964-pdf.exe 3520 Order-8011964-pdf.exe 3584 explorer.exe 3584 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-8011964-pdf.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3520 Order-8011964-pdf.exe Token: SeDebugPrivilege 3584 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order-8011964-pdf.exeExplorer.EXEexplorer.exedescription pid process target process PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 2664 wrote to memory of 3520 2664 Order-8011964-pdf.exe Order-8011964-pdf.exe PID 3064 wrote to memory of 3584 3064 Explorer.EXE explorer.exe PID 3064 wrote to memory of 3584 3064 Explorer.EXE explorer.exe PID 3064 wrote to memory of 3584 3064 Explorer.EXE explorer.exe PID 3584 wrote to memory of 1352 3584 explorer.exe cmd.exe PID 3584 wrote to memory of 1352 3584 explorer.exe cmd.exe PID 3584 wrote to memory of 1352 3584 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspD091.tmp\kkixhqk.dllMD5
3c5d78d7038df7b38383c988ceebe3aa
SHA120a6f418fb9650f54eaf3d1c6a63b7240684e4ed
SHA2568bd3f637d66238b9fb72b7c78b38e8b72d81d85912ec9cf9d8166d5a42946317
SHA512f819eaca443d595ff6ae171dfb17a7def3d16a7b8907d8636b0aa2dba7f0b044b6a67f01944a44f8df19d02cb07a6b931ebe1ce889de19ae0b3189826a6e0103
-
memory/3064-122-0x00000000067F0000-0x000000000694E000-memory.dmpFilesize
1.4MB
-
memory/3064-127-0x0000000002710000-0x00000000027B7000-memory.dmpFilesize
668KB
-
memory/3520-118-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3520-120-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB
-
memory/3520-121-0x00000000004B0000-0x000000000055E000-memory.dmpFilesize
696KB
-
memory/3584-123-0x0000000000CD0000-0x000000000110F000-memory.dmpFilesize
4.2MB
-
memory/3584-124-0x0000000000B10000-0x0000000000B39000-memory.dmpFilesize
164KB
-
memory/3584-125-0x00000000051B0000-0x00000000054D0000-memory.dmpFilesize
3.1MB
-
memory/3584-126-0x0000000004E80000-0x0000000005010000-memory.dmpFilesize
1.6MB