Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order FEB22_76543.exe
Resource
win7-en-20211208
General
-
Target
Purchase Order FEB22_76543.exe
-
Size
769KB
-
MD5
bcc32aa0cb21d67d81d9ddbd39c3e2d9
-
SHA1
2f0dfdf0a29ab5c1177c1245bebbdb2ee0513686
-
SHA256
ed99b5652455f1287171fd7d49a5ac69add7ed72a08712d4c66f6474fd094615
-
SHA512
571c706963b172d9bdd707c0f833fe9b09a41c52d6ac8e0b8d771ccbca88d4ff43cafcba30b2f9bc5f7afcb2d5908920e0553c740139b32a374b0cf07fbd6b82
Malware Config
Extracted
xloader
2.5
zqzw
laurentmathieu.com
nohohonndana.com
hhmc.info
shophallows.com
blazebunk.com
goodbridge.xyz
flakycloud.com
bakermckenziegroups.com
formation-adistance.com
lovingearthbotanicals.com
tbrservice.plus
heritagehousehotels.com
drwbuildersco.com
lacsghb.com
wain3x.com
dadreview.club
continiutycp.com
cockgirls.com
48mpt.xyz
033skz.xyz
gmconstructionlnc.com
ms-mint.com
aenrione.xyz
honxuan.com
snowmanvila.com
cig-online.com
valetvolley.com
bjsnft.com
bennystrom.com
flw.ink
clarissagrandiart.com
samfamstudio.com
pamschams.com
edgar-regale.com
combi-tech.tech
00xwq.online
eclipseconstrucciones.com
plick-click.com
dive.education
regenelis.com
blue-chipwordtoscan-today.info
xn--rsso51aevf65u.com
maonagrana.com
lucasdebatintrader.com
cassijohnson.com
roeten.online
into-concrete.xyz
motovip.store
floryfab.com
slkykq.com
vidyakala.com
stairwaystowealth.com
meganandbobbyprine.com
arestradings.com
emilyschlueter.com
platanin.com
hnhstudios.com
dmembutidos.com
dcassorealtor.com
megamobil.wien
001skz.xyz
5t45urfgurkhgbvkhbuh.com
a3hd.com
newmexicotruckwrecklawyers.com
trabaho-academy.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2220-140-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3112-147-0x00000000008F0000-0x0000000000919000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order FEB22_76543.exePurchase Order FEB22_76543.exeWWAHost.exedescription pid process target process PID 3808 set thread context of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 2220 set thread context of 2712 2220 Purchase Order FEB22_76543.exe Explorer.EXE PID 3112 set thread context of 2712 3112 WWAHost.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
Purchase Order FEB22_76543.exeWWAHost.exepid process 2220 Purchase Order FEB22_76543.exe 2220 Purchase Order FEB22_76543.exe 2220 Purchase Order FEB22_76543.exe 2220 Purchase Order FEB22_76543.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe 3112 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Purchase Order FEB22_76543.exeWWAHost.exepid process 2220 Purchase Order FEB22_76543.exe 2220 Purchase Order FEB22_76543.exe 2220 Purchase Order FEB22_76543.exe 3112 WWAHost.exe 3112 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1548 svchost.exe Token: SeCreatePagefilePrivilege 1548 svchost.exe Token: SeShutdownPrivilege 1548 svchost.exe Token: SeCreatePagefilePrivilege 1548 svchost.exe Token: SeShutdownPrivilege 1548 svchost.exe Token: SeCreatePagefilePrivilege 1548 svchost.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe Token: SeRestorePrivilege 2044 TiWorker.exe Token: SeSecurityPrivilege 2044 TiWorker.exe Token: SeBackupPrivilege 2044 TiWorker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase Order FEB22_76543.exeExplorer.EXEWWAHost.exedescription pid process target process PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 3808 wrote to memory of 2220 3808 Purchase Order FEB22_76543.exe Purchase Order FEB22_76543.exe PID 2712 wrote to memory of 3112 2712 Explorer.EXE WWAHost.exe PID 2712 wrote to memory of 3112 2712 Explorer.EXE WWAHost.exe PID 2712 wrote to memory of 3112 2712 Explorer.EXE WWAHost.exe PID 3112 wrote to memory of 2008 3112 WWAHost.exe cmd.exe PID 3112 wrote to memory of 2008 3112 WWAHost.exe cmd.exe PID 3112 wrote to memory of 2008 3112 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220 -
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"3⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1548-139-0x0000024634EF0000-0x0000024634EF4000-memory.dmpFilesize
16KB
-
memory/1548-138-0x0000024632820000-0x0000024632830000-memory.dmpFilesize
64KB
-
memory/1548-137-0x0000024632170000-0x0000024632180000-memory.dmpFilesize
64KB
-
memory/2220-144-0x00000000013D0000-0x00000000013E1000-memory.dmpFilesize
68KB
-
memory/2220-143-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2220-141-0x00000000014C0000-0x000000000180A000-memory.dmpFilesize
3.3MB
-
memory/2220-140-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2712-150-0x0000000007CE0000-0x0000000007D83000-memory.dmpFilesize
652KB
-
memory/2712-145-0x0000000007E10000-0x0000000007FAA000-memory.dmpFilesize
1.6MB
-
memory/3112-146-0x0000000000200000-0x00000000002DC000-memory.dmpFilesize
880KB
-
memory/3112-147-0x00000000008F0000-0x0000000000919000-memory.dmpFilesize
164KB
-
memory/3112-148-0x0000000001B50000-0x0000000001E9A000-memory.dmpFilesize
3.3MB
-
memory/3112-149-0x00000000018F0000-0x0000000001980000-memory.dmpFilesize
576KB
-
memory/3808-136-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/3808-135-0x0000000004D90000-0x0000000004D9A000-memory.dmpFilesize
40KB
-
memory/3808-134-0x0000000004E30000-0x0000000004ECC000-memory.dmpFilesize
624KB
-
memory/3808-133-0x0000000004CF0000-0x0000000004D82000-memory.dmpFilesize
584KB
-
memory/3808-132-0x0000000074F6E000-0x0000000074F6F000-memory.dmpFilesize
4KB
-
memory/3808-130-0x0000000000280000-0x0000000000346000-memory.dmpFilesize
792KB
-
memory/3808-131-0x00000000052A0000-0x0000000005844000-memory.dmpFilesize
5.6MB