Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
Order-9411574-pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order-9411574-pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
Order-9411574-pdf.exe
-
Size
249KB
-
MD5
58e91c804bf83bcb330d64d87bdd7abf
-
SHA1
9f00f81e64cbe3445a1f3f5f24976d736e8543ca
-
SHA256
d0d523bb3e44390067122f5b4768ee44811c00f14a344dd70e71d4c2bcf4962d
-
SHA512
aaf401d5f4a35325677ba978d170204d1305759c763b3d345d2817080cfb0707acb3703548f29db2c520faf3f2ba8835adeec435da59dfea1d3c03527f400ddb
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/940-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/544-66-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1632 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Order-9411574-pdf.exepid process 1072 Order-9411574-pdf.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Order-9411574-pdf.exeOrder-9411574-pdf.exehelp.exedescription pid process target process PID 1072 set thread context of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 940 set thread context of 1380 940 Order-9411574-pdf.exe Explorer.EXE PID 940 set thread context of 1380 940 Order-9411574-pdf.exe Explorer.EXE PID 544 set thread context of 1380 544 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Order-9411574-pdf.exehelp.exepid process 940 Order-9411574-pdf.exe 940 Order-9411574-pdf.exe 940 Order-9411574-pdf.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe 544 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order-9411574-pdf.exehelp.exepid process 940 Order-9411574-pdf.exe 940 Order-9411574-pdf.exe 940 Order-9411574-pdf.exe 940 Order-9411574-pdf.exe 544 help.exe 544 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order-9411574-pdf.exehelp.exedescription pid process Token: SeDebugPrivilege 940 Order-9411574-pdf.exe Token: SeDebugPrivilege 544 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Order-9411574-pdf.exeOrder-9411574-pdf.exehelp.exedescription pid process target process PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 1072 wrote to memory of 940 1072 Order-9411574-pdf.exe Order-9411574-pdf.exe PID 940 wrote to memory of 544 940 Order-9411574-pdf.exe help.exe PID 940 wrote to memory of 544 940 Order-9411574-pdf.exe help.exe PID 940 wrote to memory of 544 940 Order-9411574-pdf.exe help.exe PID 940 wrote to memory of 544 940 Order-9411574-pdf.exe help.exe PID 544 wrote to memory of 1632 544 help.exe cmd.exe PID 544 wrote to memory of 1632 544 help.exe cmd.exe PID 544 wrote to memory of 1632 544 help.exe cmd.exe PID 544 wrote to memory of 1632 544 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Order-9411574-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-9411574-pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-9411574-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-9411574-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-9411574-pdf.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsw1862.tmp\rgjrdod.dllMD5
ad3bbea4e6415e4e6f83a2ec08335163
SHA146502c9542dcfdf95951eef320fef39490d11d98
SHA25669fca02cde90fc973b6e4b158966598fbad391c117b94b9ed52315e770354a37
SHA51200247d66d597515f238161a23759f78a4330d6410414a60fbf9cc2b0501c96d833ce4191cc72c6b6ee2902f14f809fd7b1f161a6f4b6516df0b0195b3e7c7c09
-
memory/544-65-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/544-68-0x00000000003B0000-0x0000000000871000-memory.dmpFilesize
4.8MB
-
memory/544-67-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/544-66-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/940-60-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/940-63-0x00000000006C0000-0x00000000006D1000-memory.dmpFilesize
68KB
-
memory/940-59-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/940-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1072-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1380-64-0x0000000006BD0000-0x0000000006D09000-memory.dmpFilesize
1.2MB
-
memory/1380-61-0x0000000004C60000-0x0000000004D38000-memory.dmpFilesize
864KB
-
memory/1380-69-0x00000000072B0000-0x00000000073C8000-memory.dmpFilesize
1.1MB