Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_EM.exe
Resource
win7-en-20211208
General
-
Target
ORDER_EM.exe
-
Size
247KB
-
MD5
6965c35c75220ac5a5d4f3ab46cf4363
-
SHA1
e4691bf844e64f3f05dda96ab50f8875979f65d6
-
SHA256
fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
-
SHA512
638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3300-123-0x0000000000450000-0x0000000000479000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YPCHBNIX7 = "C:\\Program Files (x86)\\Usz7\\yvt0sdcdetqp.exe" cmmon32.exe -
Executes dropped EXE 2 IoCs
Processes:
yvt0sdcdetqp.exeyvt0sdcdetqp.exepid process 3228 yvt0sdcdetqp.exe 2960 yvt0sdcdetqp.exe -
Loads dropped DLL 2 IoCs
Processes:
ORDER_EM.exeyvt0sdcdetqp.exepid process 2544 ORDER_EM.exe 3228 yvt0sdcdetqp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
ORDER_EM.exeORDER_EM.execmmon32.exeyvt0sdcdetqp.exedescription pid process target process PID 2544 set thread context of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2896 set thread context of 2364 2896 ORDER_EM.exe Explorer.EXE PID 3300 set thread context of 2364 3300 cmmon32.exe Explorer.EXE PID 3228 set thread context of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmmon32.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe cmmon32.exe File opened for modification C:\Program Files (x86)\Usz7 Explorer.EXE File created C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_1 C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_2 C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_1 C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_2 C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_1 C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe nsis_installer_2 -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ORDER_EM.execmmon32.exeyvt0sdcdetqp.exepid process 2896 ORDER_EM.exe 2896 ORDER_EM.exe 2896 ORDER_EM.exe 2896 ORDER_EM.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 2960 yvt0sdcdetqp.exe 2960 yvt0sdcdetqp.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ORDER_EM.execmmon32.exepid process 2896 ORDER_EM.exe 2896 ORDER_EM.exe 2896 ORDER_EM.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe 3300 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ORDER_EM.execmmon32.exeyvt0sdcdetqp.exedescription pid process Token: SeDebugPrivilege 2896 ORDER_EM.exe Token: SeDebugPrivilege 3300 cmmon32.exe Token: SeDebugPrivilege 2960 yvt0sdcdetqp.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ORDER_EM.exeExplorer.EXEcmmon32.exeyvt0sdcdetqp.exedescription pid process target process PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2544 wrote to memory of 2896 2544 ORDER_EM.exe ORDER_EM.exe PID 2364 wrote to memory of 3300 2364 Explorer.EXE cmmon32.exe PID 2364 wrote to memory of 3300 2364 Explorer.EXE cmmon32.exe PID 2364 wrote to memory of 3300 2364 Explorer.EXE cmmon32.exe PID 3300 wrote to memory of 3496 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 3496 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 3496 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 1292 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 1292 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 1292 3300 cmmon32.exe cmd.exe PID 3300 wrote to memory of 396 3300 cmmon32.exe Firefox.exe PID 3300 wrote to memory of 396 3300 cmmon32.exe Firefox.exe PID 2364 wrote to memory of 3228 2364 Explorer.EXE yvt0sdcdetqp.exe PID 2364 wrote to memory of 3228 2364 Explorer.EXE yvt0sdcdetqp.exe PID 2364 wrote to memory of 3228 2364 Explorer.EXE yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3228 wrote to memory of 2960 3228 yvt0sdcdetqp.exe yvt0sdcdetqp.exe PID 3300 wrote to memory of 396 3300 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_EM.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_EM.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_EM.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_EM.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ORDER_EM.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe"C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe"C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exeMD5
6965c35c75220ac5a5d4f3ab46cf4363
SHA1e4691bf844e64f3f05dda96ab50f8875979f65d6
SHA256fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
SHA512638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
-
C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exeMD5
6965c35c75220ac5a5d4f3ab46cf4363
SHA1e4691bf844e64f3f05dda96ab50f8875979f65d6
SHA256fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
SHA512638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
-
C:\Program Files (x86)\Usz7\yvt0sdcdetqp.exeMD5
6965c35c75220ac5a5d4f3ab46cf4363
SHA1e4691bf844e64f3f05dda96ab50f8875979f65d6
SHA256fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512
SHA512638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4
-
C:\Users\Admin\AppData\Local\Temp\1peow9bxw5es08MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\iinhhrerMD5
9b0d0075cc0b9b283ab9054a1f3953c9
SHA118ee68e5231cf89d050b18ddd586e9571d20b883
SHA2568045c7ea36135376dbb537dcc485ee3601da02c0d12fa803bc19f13ec4bc2d4a
SHA512b1c3c7cba0381092b8e371cddde33fb0317a14e919730f918ad62f97bc374056a8cafd7d262e569a36df984c737b8b5b311eb5c213a6ceae49ccc7b50975fcb1
-
\Users\Admin\AppData\Local\Temp\nsuE410.tmp\xaiwentf.dllMD5
f954dce0a97de1d591dd5bfa6af38a40
SHA1d69d81388d6b2e369d92de51ee01435e5d704c55
SHA256556052a3dd28babc05a47ff3139ecbc56cc491748ecf23d2a7b9075e76220fd1
SHA512cff07fee10090c3d2b376e9b616e43b835c8c066bf8efbcee5cc95a38fd026dede27241abb7885965c475a4f30b9af11b15b8747d5e7c2d8c860152125671eec
-
\Users\Admin\AppData\Local\Temp\nsyCD26.tmp\xaiwentf.dllMD5
f954dce0a97de1d591dd5bfa6af38a40
SHA1d69d81388d6b2e369d92de51ee01435e5d704c55
SHA256556052a3dd28babc05a47ff3139ecbc56cc491748ecf23d2a7b9075e76220fd1
SHA512cff07fee10090c3d2b376e9b616e43b835c8c066bf8efbcee5cc95a38fd026dede27241abb7885965c475a4f30b9af11b15b8747d5e7c2d8c860152125671eec
-
memory/2364-121-0x0000000006670000-0x0000000006804000-memory.dmpFilesize
1.6MB
-
memory/2364-126-0x0000000006810000-0x000000000694E000-memory.dmpFilesize
1.2MB
-
memory/2544-117-0x0000000002150000-0x0000000002154000-memory.dmpFilesize
16KB
-
memory/2896-120-0x0000000000970000-0x0000000000B01000-memory.dmpFilesize
1.6MB
-
memory/2896-118-0x0000000000B10000-0x0000000000E30000-memory.dmpFilesize
3.1MB
-
memory/2896-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2960-135-0x0000000000B00000-0x0000000000E20000-memory.dmpFilesize
3.1MB
-
memory/3300-125-0x00000000040B0000-0x000000000424A000-memory.dmpFilesize
1.6MB
-
memory/3300-124-0x00000000043F0000-0x0000000004710000-memory.dmpFilesize
3.1MB
-
memory/3300-123-0x0000000000450000-0x0000000000479000-memory.dmpFilesize
164KB
-
memory/3300-122-0x0000000000CA0000-0x0000000000CAC000-memory.dmpFilesize
48KB