Analysis
-
max time kernel
153s -
max time network
186s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:58
Static task
static1
Behavioral task
behavioral1
Sample
e26afb2a71bab91e3f2dd8588da0a49436a1b09c48cccb611c06a0ed96f85f8c.rar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e26afb2a71bab91e3f2dd8588da0a49436a1b09c48cccb611c06a0ed96f85f8c.rar
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Quotation DG-H2091717 Order.exe
Resource
win7-20220414-en
General
-
Target
Quotation DG-H2091717 Order.exe
-
Size
491KB
-
MD5
281adb9d80c76b1d55dd373ea0c9d76a
-
SHA1
961c9d2108da9e4f91f1c38b3202eb582cea3f94
-
SHA256
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
-
SHA512
f6a124e8a412801f5d0c9bac388da732b26bf66b84fcf1cce0bbd13c3f9107132fffe5b9e4d19f3f5f572a835cb0ac700bc83542cedcc39860133536d32aae93
Malware Config
Extracted
xloader
2.1
cvd
wanda-dutyfree.net
m399999.com
adultoutopico.com
acappellawebradio.com
geetaisprings.com
californiacredit.repair
view-merchant.review
autoritecenter.com
lke7992.com
carroceriasalchichica.com
shanhaishidai.com
wuyounice.com
ahyingshi.com
eurocrypt.net
zvxhs.info
nxsexyvip.com
suffolkbuildingcontrol.com
sotruemobiledetailing.com
bizsolmx.com
personalidea.net
c-aesthetics.com
quanguixs.com
szhgprt.com
conferenceinmelbourne2017.com
smilevillage.win
woyaodani.com
woltbikes.com
tbmbgb.tech
truelovethatlasts.com
vidsummitlive.com
southalabamahomeschooling.com
chakrabalancetherapy.com
cross-bag.com
livest1ontheplains.com
gaemari.com
werebeancoffee.com
membershipmarketing.info
pakistaniinstitute.com
submarr.com
rideordie2k19.com
ramelgayrimenkul.com
web-start.info
playawesomeslots.com
appletreefarm.info
mightyheartspreschool.com
onoraodalis.net
settesecondicirca.com
clmsys.biz
fahabok.com
warwickfoodconsultants.com
cheaptolisbon.com
hcbusinessmedia.com
erwonventures.com
rmdequipos.com
mooreandmoorecrafts.com
davidrogersphotos.com
verlors.com
djdkkp.info
graphicdesignerlakewood.com
minutefountain.info
nirvanawebsolutions.com
fifarcade.com
thepodhome.com
mrsscottmlyes.com
magento-tracks.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/1280-63-0x000000000041CB50-mapping.dmp xloader behavioral3/memory/1280-62-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral3/memory/1280-68-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral3/memory/1620-75-0x00000000000A0000-0x00000000000C8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1488 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Quotation DG-H2091717 Order.exeQuotation DG-H2091717 Order.exeraserver.exedescription pid process target process PID 1528 set thread context of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1280 set thread context of 1220 1280 Quotation DG-H2091717 Order.exe Explorer.EXE PID 1280 set thread context of 1220 1280 Quotation DG-H2091717 Order.exe Explorer.EXE PID 1620 set thread context of 1220 1620 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Quotation DG-H2091717 Order.exeraserver.exepid process 1280 Quotation DG-H2091717 Order.exe 1280 Quotation DG-H2091717 Order.exe 1280 Quotation DG-H2091717 Order.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe 1620 raserver.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Quotation DG-H2091717 Order.exeraserver.exepid process 1280 Quotation DG-H2091717 Order.exe 1280 Quotation DG-H2091717 Order.exe 1280 Quotation DG-H2091717 Order.exe 1280 Quotation DG-H2091717 Order.exe 1620 raserver.exe 1620 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Quotation DG-H2091717 Order.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1280 Quotation DG-H2091717 Order.exe Token: SeDebugPrivilege 1620 raserver.exe Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Quotation DG-H2091717 Order.exeExplorer.EXEQuotation DG-H2091717 Order.exeraserver.exedescription pid process target process PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1528 wrote to memory of 1280 1528 Quotation DG-H2091717 Order.exe Quotation DG-H2091717 Order.exe PID 1220 wrote to memory of 696 1220 Explorer.EXE cmd.exe PID 1220 wrote to memory of 696 1220 Explorer.EXE cmd.exe PID 1220 wrote to memory of 696 1220 Explorer.EXE cmd.exe PID 1220 wrote to memory of 696 1220 Explorer.EXE cmd.exe PID 1280 wrote to memory of 1620 1280 Quotation DG-H2091717 Order.exe raserver.exe PID 1280 wrote to memory of 1620 1280 Quotation DG-H2091717 Order.exe raserver.exe PID 1280 wrote to memory of 1620 1280 Quotation DG-H2091717 Order.exe raserver.exe PID 1280 wrote to memory of 1620 1280 Quotation DG-H2091717 Order.exe raserver.exe PID 1620 wrote to memory of 1488 1620 raserver.exe cmd.exe PID 1620 wrote to memory of 1488 1620 raserver.exe cmd.exe PID 1620 wrote to memory of 1488 1620 raserver.exe cmd.exe PID 1620 wrote to memory of 1488 1620 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"5⤵
- Deletes itself
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-67-0x0000000004020000-0x00000000040D6000-memory.dmpFilesize
728KB
-
memory/1220-78-0x0000000004CE0000-0x0000000004E5C000-memory.dmpFilesize
1.5MB
-
memory/1220-70-0x0000000004BB0000-0x0000000004CDA000-memory.dmpFilesize
1.2MB
-
memory/1280-66-0x0000000000130000-0x0000000000140000-memory.dmpFilesize
64KB
-
memory/1280-68-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1280-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1280-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1280-63-0x000000000041CB50-mapping.dmp
-
memory/1280-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1280-65-0x00000000009D0000-0x0000000000CD3000-memory.dmpFilesize
3.0MB
-
memory/1280-69-0x00000000003E0000-0x00000000003F0000-memory.dmpFilesize
64KB
-
memory/1488-73-0x0000000000000000-mapping.dmp
-
memory/1528-57-0x00000000042C0000-0x000000000432C000-memory.dmpFilesize
432KB
-
memory/1528-58-0x0000000002040000-0x000000000207E000-memory.dmpFilesize
248KB
-
memory/1528-54-0x0000000000950000-0x00000000009D0000-memory.dmpFilesize
512KB
-
memory/1528-56-0x0000000000600000-0x0000000000608000-memory.dmpFilesize
32KB
-
memory/1528-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1620-71-0x0000000000000000-mapping.dmp
-
memory/1620-74-0x0000000000070000-0x000000000008C000-memory.dmpFilesize
112KB
-
memory/1620-75-0x00000000000A0000-0x00000000000C8000-memory.dmpFilesize
160KB
-
memory/1620-76-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/1620-77-0x0000000000650000-0x00000000006DF000-memory.dmpFilesize
572KB