Analysis
-
max time kernel
153s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
Order-EM411910902-pdf.exe
Resource
win7-en-20211208
General
-
Target
Order-EM411910902-pdf.exe
-
Size
247KB
-
MD5
3891508ecb36809bb3d903066ce5ac5b
-
SHA1
ee03fadec645758dd05f86354f909b6184431df7
-
SHA256
4e680042dfe4ffcf835c00c86ba35cbbac2fabd08ae19fa3155c030d984ab6be
-
SHA512
f3735723b73b3f97bb3d08eb2e5e488ede9790161f1f45b1c414e1bda4072af86cf2adbdddbc31bf471b4037acfaf57fd37588b5b0f8cb644b2960299e1e141f
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4004-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4004-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1304-139-0x00000000012B0000-0x00000000012D9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Order-EM411910902-pdf.exepid process 1476 Order-EM411910902-pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order-EM411910902-pdf.exeOrder-EM411910902-pdf.exeNETSTAT.EXEdescription pid process target process PID 1476 set thread context of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 4004 set thread context of 2436 4004 Order-EM411910902-pdf.exe Explorer.EXE PID 1304 set thread context of 2436 1304 NETSTAT.EXE Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1304 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Order-EM411910902-pdf.exeNETSTAT.EXEpid process 4004 Order-EM411910902-pdf.exe 4004 Order-EM411910902-pdf.exe 4004 Order-EM411910902-pdf.exe 4004 Order-EM411910902-pdf.exe 1304 NETSTAT.EXE 1304 NETSTAT.EXE 1304 NETSTAT.EXE 1304 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2436 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order-EM411910902-pdf.exeNETSTAT.EXEpid process 4004 Order-EM411910902-pdf.exe 4004 Order-EM411910902-pdf.exe 4004 Order-EM411910902-pdf.exe 1304 NETSTAT.EXE 1304 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Order-EM411910902-pdf.exesvchost.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4004 Order-EM411910902-pdf.exe Token: SeShutdownPrivilege 3468 svchost.exe Token: SeCreatePagefilePrivilege 3468 svchost.exe Token: SeShutdownPrivilege 3468 svchost.exe Token: SeCreatePagefilePrivilege 3468 svchost.exe Token: SeDebugPrivilege 1304 NETSTAT.EXE Token: SeShutdownPrivilege 3468 svchost.exe Token: SeCreatePagefilePrivilege 3468 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order-EM411910902-pdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 1476 wrote to memory of 4004 1476 Order-EM411910902-pdf.exe Order-EM411910902-pdf.exe PID 2436 wrote to memory of 1304 2436 Explorer.EXE NETSTAT.EXE PID 2436 wrote to memory of 1304 2436 Explorer.EXE NETSTAT.EXE PID 2436 wrote to memory of 1304 2436 Explorer.EXE NETSTAT.EXE PID 1304 wrote to memory of 1180 1304 NETSTAT.EXE cmd.exe PID 1304 wrote to memory of 1180 1304 NETSTAT.EXE cmd.exe PID 1304 wrote to memory of 1180 1304 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-EM411910902-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-EM411910902-pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-EM411910902-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-EM411910902-pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order-EM411910902-pdf.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsq4D16.tmp\lifljlpjo.dllMD5
11bb2c8629cb80c896dcbd9da4f608bb
SHA1e1a16f1f4a8cc3d2cb1224f3eb6731853b79a960
SHA25690c6982f11d2bcd1c69b85c8df7bb84fd1eeed5876fd86558c718149b5f3b874
SHA5122992526f6b4e20d83b50b4b235d1473e43b345527926a59cf93c33fbb33adeeb79f885441e5f42adcf6a2d18532e0c4c70148c555e5b1e9a4d39931581d62caa
-
memory/1304-138-0x00000000007C0000-0x00000000007CB000-memory.dmpFilesize
44KB
-
memory/1304-144-0x0000000001810000-0x00000000018A0000-memory.dmpFilesize
576KB
-
memory/1304-143-0x00000000019D0000-0x0000000001D1A000-memory.dmpFilesize
3.3MB
-
memory/1304-139-0x00000000012B0000-0x00000000012D9000-memory.dmpFilesize
164KB
-
memory/2436-145-0x0000000002E80000-0x0000000002F54000-memory.dmpFilesize
848KB
-
memory/2436-137-0x0000000007E60000-0x0000000007FA2000-memory.dmpFilesize
1.3MB
-
memory/3468-140-0x0000021528B60000-0x0000021528B70000-memory.dmpFilesize
64KB
-
memory/3468-141-0x0000021529120000-0x0000021529130000-memory.dmpFilesize
64KB
-
memory/3468-142-0x000002152B7A0000-0x000002152B7A4000-memory.dmpFilesize
16KB
-
memory/4004-136-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/4004-135-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/4004-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4004-133-0x0000000000A10000-0x0000000000D5A000-memory.dmpFilesize
3.3MB
-
memory/4004-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB