Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 14:54
Static task
static1
Behavioral task
behavioral1
Sample
order confirmation payment copy.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
order confirmation payment copy.exe
Resource
win10v2004-en-20220112
General
-
Target
order confirmation payment copy.exe
-
Size
29KB
-
MD5
52b704a5b91990616f13578732a79b97
-
SHA1
fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e
-
SHA256
678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086
-
SHA512
416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056
Malware Config
Extracted
xloader
2.5
po6r
jnhuichuangxin.com
mubashir.art
extol.design
doyyindh.xyz
milanoautoexperts.com
4thefringe.com
453511.com
sellathonautocredit.com
velgian.com
6672pk.com
wodeluzhou.com
sumiyoshiku-hizaita.xyz
imoveldeprimeira.com
dgjssp.com
endokc.com
side-clicks.com
cashndashfinancial.com
vanhemelryck.info
agamitrading.com
woofgang.xyz
atnetworkinc.com
malleshtekumatla.com
com-home.xyz
buildyourmtg.com
viairazur.xyz
drproteaches.com
amaznsavings.com
karencharlestonrealtor.com
bootstrategy.com
mimtgexpert.com
sebzvault.com
brtaclub.com
gicarellc.com
annehonorato.com
rafalgar.com
bergenyouthorchestra.com
entrevistasesenciales.com
thekneedoctors.com
grosseilemireal.estate
celestialdrone.art
bouwdrogerhurenvlaanderen.com
koppakart.com
irishykater.quest
blinglj.com
editorparmindersingh.com
klnhanced.quest
divinebehaviorsolutions.com
amprope.com
futuracart.com
ditrhub.com
eaoeducationprogramme.com
smartplumbing.services
revelandlaceevents.com
bikedh.xyz
pacificdevelopmentstudio.com
palisadesskivacation.com
happy-pets.xyz
killyourselfnigger.com
sonicdrillinginstitute.com
alibabascientific.com
sh-leming.com
aseelrealestate.com
lohmueller.gmbh
ngoccompany.com
healthonline.store
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
order confirmation payment copy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\clean.exe\"," order confirmation payment copy.exe -
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1972-69-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
order confirmation payment copy.exeorder confirmation payment copy.exenetsh.exedescription pid process target process PID 1796 set thread context of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1084 set thread context of 1412 1084 order confirmation payment copy.exe Explorer.EXE PID 1972 set thread context of 1412 1972 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
order confirmation payment copy.exeorder confirmation payment copy.exenetsh.exepid process 1796 order confirmation payment copy.exe 1796 order confirmation payment copy.exe 1796 order confirmation payment copy.exe 1796 order confirmation payment copy.exe 1796 order confirmation payment copy.exe 1084 order confirmation payment copy.exe 1084 order confirmation payment copy.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe 1972 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
order confirmation payment copy.exenetsh.exepid process 1084 order confirmation payment copy.exe 1084 order confirmation payment copy.exe 1084 order confirmation payment copy.exe 1972 netsh.exe 1972 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
order confirmation payment copy.exeorder confirmation payment copy.exenetsh.exedescription pid process Token: SeDebugPrivilege 1796 order confirmation payment copy.exe Token: SeDebugPrivilege 1084 order confirmation payment copy.exe Token: SeDebugPrivilege 1972 netsh.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
order confirmation payment copy.execmd.exeExplorer.EXEdescription pid process target process PID 1796 wrote to memory of 584 1796 order confirmation payment copy.exe cmd.exe PID 1796 wrote to memory of 584 1796 order confirmation payment copy.exe cmd.exe PID 1796 wrote to memory of 584 1796 order confirmation payment copy.exe cmd.exe PID 1796 wrote to memory of 584 1796 order confirmation payment copy.exe cmd.exe PID 584 wrote to memory of 872 584 cmd.exe PING.EXE PID 584 wrote to memory of 872 584 cmd.exe PING.EXE PID 584 wrote to memory of 872 584 cmd.exe PING.EXE PID 584 wrote to memory of 872 584 cmd.exe PING.EXE PID 1796 wrote to memory of 1188 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1188 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1188 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1188 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1212 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1212 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1212 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1212 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1796 wrote to memory of 1084 1796 order confirmation payment copy.exe order confirmation payment copy.exe PID 1412 wrote to memory of 1972 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1972 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1972 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1972 1412 Explorer.EXE netsh.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping yahoo.com3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\PING.EXEping yahoo.com4⤵
- Runs ping.exe
PID:872 -
C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"3⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"3⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1084-66-0x00000000001A0000-0x00000000001B1000-memory.dmpFilesize
68KB
-
memory/1084-65-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1084-64-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1084-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1084-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1412-67-0x0000000006F00000-0x0000000007034000-memory.dmpFilesize
1.2MB
-
memory/1412-72-0x0000000003E30000-0x0000000003F03000-memory.dmpFilesize
844KB
-
memory/1796-59-0x00000000050A0000-0x00000000050EC000-memory.dmpFilesize
304KB
-
memory/1796-58-0x000000000AF00000-0x000000000AFB6000-memory.dmpFilesize
728KB
-
memory/1796-57-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1796-56-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/1796-55-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/1796-54-0x0000000000370000-0x000000000037C000-memory.dmpFilesize
48KB
-
memory/1972-68-0x0000000001110000-0x000000000112B000-memory.dmpFilesize
108KB
-
memory/1972-69-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1972-70-0x0000000000B60000-0x0000000000E63000-memory.dmpFilesize
3.0MB
-
memory/1972-71-0x0000000000960000-0x00000000009F0000-memory.dmpFilesize
576KB