Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10v2004-20220414-en
General
-
Target
Order.exe
-
Size
241KB
-
MD5
bf5426f3ef54fb82433db41d5e8533a5
-
SHA1
46b504f9d3b02ff66ae640167e5ae3d8737dd44f
-
SHA256
d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5
-
SHA512
64f83ef542358da820ff6d91a1bbe09dae4dbb2580c9e566253ae7236eea12ca6ae1128e75b9b291b70574026dece42e7cc646b8c2035abb63b379ddd784d3f5
Malware Config
Extracted
xloader
2.6
ne5f
presentationmeetup.biz
mlune.com
smplsnoot.com
gatorlendingnearme.com
matsu-den.net
dac-nj.com
currentsea.rentals
peter-elst.com
hyo7jzsunsh6ad8rjwsa.com
5gsmartsales.xyz
medinfoedu.com
tenderstembroccoli.com
solicitglobal.com
lojashauren.com
constructionboots.online
hecsearc.com
tandemcoruna.com
ordinateam.com
heikyoum.xyz
segawa-kensetu.com
chodkokowa.com
velovitasnapit.com
ironmandalorian.tech
tittle-tattle.store
pejoki.com
sportsloft.net
valheim.xyz
thensateam.com
continentalfinane.net
savorytoys.com
morningmiraclelabs.com
drew-energysolutions.com
serial-2021.com
impatientempowered.com
shrysw.com
reputationteem.com
shengyuejiahua.com
elite24studio.com
8i4ncc079k.com
shangarajive.net
burgerpawty.com
janamora.sbs
elementosete.com
rigbusters.net
artwork.photography
akretum.site
alphabullsmint.site
terracepile.online
floridafamilymortgageteam.com
posadiderevo.com
tkrbeauty.com
titangeloriginal.store
opoetafetado.com
hgrworld.xyz
sobrerodas.site
restauranteelcherro.com
sportskhemistry.com
mcmcasting.com
yolischildcare.net
designbybyte.com
judithzeichner.online
website33239.website
fastimporter.com
heftyghoul.online
huyueyq.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
ModiLoader Second Stage 39 IoCs
resource yara_rule behavioral2/memory/4044-140-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-141-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-142-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-143-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-145-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-146-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-147-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-144-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-148-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-150-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-151-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-149-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-152-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-153-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-155-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-154-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-156-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-157-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-158-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-160-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-159-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-161-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-162-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-164-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-165-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-163-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-193-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-194-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-195-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-197-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-196-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-204-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-205-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-206-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-207-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-209-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-210-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-211-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 behavioral2/memory/4044-208-0x0000000003940000-0x0000000003992000-memory.dmp modiloader_stage2 -
Xloader Payload 5 IoCs
resource yara_rule behavioral2/memory/4044-191-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/1924-192-0x0000000000000000-mapping.dmp xloader behavioral2/memory/1924-213-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/960-220-0x0000000000A20000-0x0000000000A4B000-memory.dmp xloader behavioral2/memory/960-224-0x0000000000A20000-0x0000000000A4B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YPM83N28OPX = "C:\\Program Files (x86)\\Mt8dt7b\\-zit_xuxt800.exe" mstsc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rwooihhzlf = "C:\\Users\\Public\\Libraries\\flzhhioowR.url" Order.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1924 set thread context of 2640 1924 Order.exe 37 PID 960 set thread context of 2640 960 mstsc.exe 37 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mt8dt7b\-zit_xuxt800.exe mstsc.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2520 powershell.exe 2520 powershell.exe 1924 Order.exe 1924 Order.exe 1924 Order.exe 1924 Order.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1924 Order.exe 1924 Order.exe 1924 Order.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 1924 Order.exe Token: SeDebugPrivilege 960 mstsc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4044 wrote to memory of 3060 4044 Order.exe 80 PID 4044 wrote to memory of 3060 4044 Order.exe 80 PID 4044 wrote to memory of 3060 4044 Order.exe 80 PID 3060 wrote to memory of 2004 3060 cmd.exe 82 PID 3060 wrote to memory of 2004 3060 cmd.exe 82 PID 3060 wrote to memory of 2004 3060 cmd.exe 82 PID 2004 wrote to memory of 1244 2004 cmd.exe 84 PID 2004 wrote to memory of 1244 2004 cmd.exe 84 PID 2004 wrote to memory of 1244 2004 cmd.exe 84 PID 1244 wrote to memory of 1320 1244 net.exe 85 PID 1244 wrote to memory of 1320 1244 net.exe 85 PID 1244 wrote to memory of 1320 1244 net.exe 85 PID 2004 wrote to memory of 2520 2004 cmd.exe 86 PID 2004 wrote to memory of 2520 2004 cmd.exe 86 PID 2004 wrote to memory of 2520 2004 cmd.exe 86 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 4044 wrote to memory of 1924 4044 Order.exe 92 PID 2640 wrote to memory of 960 2640 Explorer.EXE 93 PID 2640 wrote to memory of 960 2640 Explorer.EXE 93 PID 2640 wrote to memory of 960 2640 Explorer.EXE 93 PID 960 wrote to memory of 4084 960 mstsc.exe 97 PID 960 wrote to memory of 4084 960 mstsc.exe 97 PID 960 wrote to memory of 4084 960 mstsc.exe 97 PID 960 wrote to memory of 3440 960 mstsc.exe 99 PID 960 wrote to memory of 3440 960 mstsc.exe 99 PID 960 wrote to memory of 3440 960 mstsc.exe 99 PID 960 wrote to memory of 1484 960 mstsc.exe 101 PID 960 wrote to memory of 1484 960 mstsc.exe 101 PID 960 wrote to memory of 1484 960 mstsc.exe 101 PID 960 wrote to memory of 952 960 mstsc.exe 103 PID 960 wrote to memory of 952 960 mstsc.exe 103 PID 960 wrote to memory of 952 960 mstsc.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Rwooihhzlft.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\RwooihhzlfO.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\net.exenet session5⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session6⤵PID:1320
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Order.exeC:\Users\Admin\AppData\Local\Temp\Order.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵PID:4084
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3440
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1484
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
Filesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
Filesize
59B
MD5c2a5d88b8a980ad8d3c68e0f1fbfc8eb
SHA16de3fabebf01d06116079418cb2843949e311c01
SHA2560eeaa64d74922edce08e4cbe7ed752c8370ccb43f834bd4d9fa2c2be8eaf2bac
SHA5128bb0e2e0728ea91b415e5dff5b8bb14288e1a5167a7ac10b50cbe2485f6cec833be1c6a6c6f988fabdca53528d1febfa847af7263f34dca10f5d0a37818acadd