Analysis
-
max time kernel
170s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 14:46
Static task
static1
Behavioral task
behavioral1
Sample
Order-317585122-pdf.exe
Resource
win7-en-20211208
General
-
Target
Order-317585122-pdf.exe
-
Size
291KB
-
MD5
67e35aa265604077c05cb33ce4faacac
-
SHA1
8bfd5d51b8416fb747e4c486b9c9691b28b47bcd
-
SHA256
de84eba1dbe2c9b339c91d9f90180478b3e84a190f566d3c667d6490caa92601
-
SHA512
a4867eb2efd3c44a941fa136d46b0d4bc024d99de60af70c07e11739c398f50e0309a3207889e8e64030ddefeeb68995f7cc6058fa3c183c535392795acb89b8
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4556-135-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4556-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2504-144-0x00000000006F0000-0x0000000000719000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
zopxdxewlg.exezopxdxewlg.exepid process 4612 zopxdxewlg.exe 4556 zopxdxewlg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zopxdxewlg.exezopxdxewlg.execmstp.exedescription pid process target process PID 4612 set thread context of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4556 set thread context of 3024 4556 zopxdxewlg.exe Explorer.EXE PID 2504 set thread context of 3024 2504 cmstp.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
zopxdxewlg.execmstp.exepid process 4556 zopxdxewlg.exe 4556 zopxdxewlg.exe 4556 zopxdxewlg.exe 4556 zopxdxewlg.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe 2504 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
zopxdxewlg.execmstp.exepid process 4556 zopxdxewlg.exe 4556 zopxdxewlg.exe 4556 zopxdxewlg.exe 2504 cmstp.exe 2504 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
zopxdxewlg.execmstp.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4556 zopxdxewlg.exe Token: SeDebugPrivilege 2504 cmstp.exe Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeShutdownPrivilege 2068 svchost.exe Token: SeCreatePagefilePrivilege 2068 svchost.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Order-317585122-pdf.exezopxdxewlg.exeExplorer.EXEcmstp.exedescription pid process target process PID 4680 wrote to memory of 4612 4680 Order-317585122-pdf.exe zopxdxewlg.exe PID 4680 wrote to memory of 4612 4680 Order-317585122-pdf.exe zopxdxewlg.exe PID 4680 wrote to memory of 4612 4680 Order-317585122-pdf.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 4612 wrote to memory of 4556 4612 zopxdxewlg.exe zopxdxewlg.exe PID 3024 wrote to memory of 2504 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 2504 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 2504 3024 Explorer.EXE cmstp.exe PID 2504 wrote to memory of 3392 2504 cmstp.exe cmd.exe PID 2504 wrote to memory of 3392 2504 cmstp.exe cmd.exe PID 2504 wrote to memory of 3392 2504 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exeC:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exeC:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1fbn5v0s8c6lcdpxMD5
933f76aef373e9a8849662974af05cad
SHA198a413ca0863374f07391b2486ac867d511f1e88
SHA256e7a37f91578fdfa04ba84b3c036b68b42735e5c358c57473bbbbdf82cb5955ce
SHA5123c28a1e868fa3529bc9a0da72855e4c0f4b55cd9968d6d551f42ed493fe7358a77a60b92e403a9ea0886c0e2e16fd231120e54f2a2ae79b21fceccebe058f013
-
C:\Users\Admin\AppData\Local\Temp\ehrzsMD5
852d3f916eeb8a1af5a2a998473f9d13
SHA11e51dfce7f29835de4a0e5ee4578d22161003fa8
SHA256d415c8fe1b3399662f62564c1c981a62e6e4b2658880fd9483baf670a5e284cd
SHA51256dd13a9ff6e4e6a65a56441d7c94f36b47dfa765755c84d69f36878103fcbf9d23f0203ef6c68a0e53df66f8deafa99c331276ff320ec30c488111dcdfbcafc
-
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exeMD5
0a5906255c645c41ba209449c4ae3429
SHA121f3c28d9d3452b0ff5e972b7a4a93ec29214b6b
SHA25652567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e
SHA512ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83
-
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exeMD5
0a5906255c645c41ba209449c4ae3429
SHA121f3c28d9d3452b0ff5e972b7a4a93ec29214b6b
SHA25652567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e
SHA512ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83
-
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exeMD5
0a5906255c645c41ba209449c4ae3429
SHA121f3c28d9d3452b0ff5e972b7a4a93ec29214b6b
SHA25652567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e
SHA512ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83
-
memory/2068-150-0x00000270D0450000-0x00000270D0454000-memory.dmpFilesize
16KB
-
memory/2068-149-0x00000270CDD80000-0x00000270CDD90000-memory.dmpFilesize
64KB
-
memory/2068-148-0x00000270CDD20000-0x00000270CDD30000-memory.dmpFilesize
64KB
-
memory/2504-145-0x0000000002750000-0x0000000002A9A000-memory.dmpFilesize
3.3MB
-
memory/2504-146-0x00000000024B0000-0x0000000002540000-memory.dmpFilesize
576KB
-
memory/2504-143-0x00000000007B0000-0x00000000007C6000-memory.dmpFilesize
88KB
-
memory/2504-144-0x00000000006F0000-0x0000000000719000-memory.dmpFilesize
164KB
-
memory/3024-147-0x0000000001280000-0x0000000001313000-memory.dmpFilesize
588KB
-
memory/3024-142-0x0000000008D30000-0x0000000008ED8000-memory.dmpFilesize
1.7MB
-
memory/4556-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4556-141-0x00000000007E0000-0x00000000007F1000-memory.dmpFilesize
68KB
-
memory/4556-140-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/4556-139-0x0000000000AB0000-0x0000000000DFA000-memory.dmpFilesize
3.3MB
-
memory/4556-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4612-134-0x0000000000430000-0x0000000000432000-memory.dmpFilesize
8KB