Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 17:50
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_80.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ORDER_80.exe
Resource
win10v2004-en-20220113
General
-
Target
ORDER_80.exe
-
Size
246KB
-
MD5
e15ae6b598e9b227a07a09056570afd6
-
SHA1
46b5a6c316570f75be5f9732ece769547d431e39
-
SHA256
2c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
-
SHA512
9648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1404-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/772-63-0x00000000001C0000-0x00000000001E9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
vgarfcx.exevgarfcx.exepid process 1020 vgarfcx.exe 1424 vgarfcx.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ORDER_80.exevgarfcx.exepid process 1664 ORDER_80.exe 1020 vgarfcx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YHR8DFW0V = "C:\\Program Files (x86)\\Nsfv\\vgarfcx.exe" wscript.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ORDER_80.exeORDER_80.exewscript.exevgarfcx.exedescription pid process target process PID 1664 set thread context of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1404 set thread context of 1220 1404 ORDER_80.exe Explorer.EXE PID 772 set thread context of 1220 772 wscript.exe Explorer.EXE PID 1020 set thread context of 1424 1020 vgarfcx.exe vgarfcx.exe -
Drops file in Program Files directory 2 IoCs
Processes:
wscript.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Nsfv\vgarfcx.exe wscript.exe File created C:\Program Files (x86)\Nsfv\vgarfcx.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_2 C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_2 C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\vgarfcx.exe nsis_installer_2 -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
ORDER_80.exewscript.exevgarfcx.exepid process 1404 ORDER_80.exe 1404 ORDER_80.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 1424 vgarfcx.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ORDER_80.exewscript.exepid process 1404 ORDER_80.exe 1404 ORDER_80.exe 1404 ORDER_80.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe 772 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ORDER_80.exewscript.exevgarfcx.exedescription pid process Token: SeDebugPrivilege 1404 ORDER_80.exe Token: SeDebugPrivilege 772 wscript.exe Token: SeDebugPrivilege 1424 vgarfcx.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
ORDER_80.exeExplorer.EXEwscript.exevgarfcx.exedescription pid process target process PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1664 wrote to memory of 1404 1664 ORDER_80.exe ORDER_80.exe PID 1220 wrote to memory of 772 1220 Explorer.EXE wscript.exe PID 1220 wrote to memory of 772 1220 Explorer.EXE wscript.exe PID 1220 wrote to memory of 772 1220 Explorer.EXE wscript.exe PID 1220 wrote to memory of 772 1220 Explorer.EXE wscript.exe PID 772 wrote to memory of 1624 772 wscript.exe cmd.exe PID 772 wrote to memory of 1624 772 wscript.exe cmd.exe PID 772 wrote to memory of 1624 772 wscript.exe cmd.exe PID 772 wrote to memory of 1624 772 wscript.exe cmd.exe PID 772 wrote to memory of 1964 772 wscript.exe Firefox.exe PID 772 wrote to memory of 1964 772 wscript.exe Firefox.exe PID 772 wrote to memory of 1964 772 wscript.exe Firefox.exe PID 772 wrote to memory of 1964 772 wscript.exe Firefox.exe PID 1220 wrote to memory of 1020 1220 Explorer.EXE vgarfcx.exe PID 1220 wrote to memory of 1020 1220 Explorer.EXE vgarfcx.exe PID 1220 wrote to memory of 1020 1220 Explorer.EXE vgarfcx.exe PID 1220 wrote to memory of 1020 1220 Explorer.EXE vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 1020 wrote to memory of 1424 1020 vgarfcx.exe vgarfcx.exe PID 772 wrote to memory of 1964 772 wscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_80.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_80.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_80.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_80.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ORDER_80.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Nsfv\vgarfcx.exe"C:\Program Files (x86)\Nsfv\vgarfcx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Nsfv\vgarfcx.exe"C:\Program Files (x86)\Nsfv\vgarfcx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Nsfv\vgarfcx.exeMD5
e15ae6b598e9b227a07a09056570afd6
SHA146b5a6c316570f75be5f9732ece769547d431e39
SHA2562c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
SHA5129648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1
-
C:\Program Files (x86)\Nsfv\vgarfcx.exeMD5
e15ae6b598e9b227a07a09056570afd6
SHA146b5a6c316570f75be5f9732ece769547d431e39
SHA2562c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
SHA5129648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1
-
C:\Program Files (x86)\Nsfv\vgarfcx.exeMD5
e15ae6b598e9b227a07a09056570afd6
SHA146b5a6c316570f75be5f9732ece769547d431e39
SHA2562c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
SHA5129648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1
-
C:\Users\Admin\AppData\Local\Temp\a6ylm05jo4gf0gajx6MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\opqjvuMD5
16b81501018934a97e3641de6ebf3a7c
SHA15a8f8458587bf029269fb2ac7734ae8ad0d2d202
SHA25616b455bbbaef0c37b70e952628559c898a3b351c0a1e74e6fd8a88b384972182
SHA512779761b156802289500d89b77fa703161a24d0dcafc7632b161e78e351f5e530faa7d723be77dbfc0be998dd1cbd839817588c7fe9dc6e9f430ef571a7581294
-
\Users\Admin\AppData\Local\Temp\nsj2A4D.tmp\kkixhqk.dllMD5
3c5d78d7038df7b38383c988ceebe3aa
SHA120a6f418fb9650f54eaf3d1c6a63b7240684e4ed
SHA2568bd3f637d66238b9fb72b7c78b38e8b72d81d85912ec9cf9d8166d5a42946317
SHA512f819eaca443d595ff6ae171dfb17a7def3d16a7b8907d8636b0aa2dba7f0b044b6a67f01944a44f8df19d02cb07a6b931ebe1ce889de19ae0b3189826a6e0103
-
\Users\Admin\AppData\Local\Temp\nso38DE.tmp\kkixhqk.dllMD5
3c5d78d7038df7b38383c988ceebe3aa
SHA120a6f418fb9650f54eaf3d1c6a63b7240684e4ed
SHA2568bd3f637d66238b9fb72b7c78b38e8b72d81d85912ec9cf9d8166d5a42946317
SHA512f819eaca443d595ff6ae171dfb17a7def3d16a7b8907d8636b0aa2dba7f0b044b6a67f01944a44f8df19d02cb07a6b931ebe1ce889de19ae0b3189826a6e0103
-
memory/772-62-0x0000000000040000-0x0000000000066000-memory.dmpFilesize
152KB
-
memory/772-64-0x0000000001ED0000-0x00000000021D3000-memory.dmpFilesize
3.0MB
-
memory/772-65-0x0000000001D50000-0x0000000001DE0000-memory.dmpFilesize
576KB
-
memory/772-63-0x00000000001C0000-0x00000000001E9000-memory.dmpFilesize
164KB
-
memory/1220-66-0x0000000006CE0000-0x0000000006DCE000-memory.dmpFilesize
952KB
-
memory/1220-61-0x0000000004EE0000-0x000000000507B000-memory.dmpFilesize
1.6MB
-
memory/1404-59-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1404-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1404-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1424-76-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB
-
memory/1664-57-0x00000000005C0000-0x00000000005C2000-memory.dmpFilesize
8KB