Analysis Overview
SHA256
d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5
Threat Level: Known bad
The file Order.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
ModiLoader, DBatLoader
Xloader Payload
ModiLoader Second Stage
Adds policy Run key to start application
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 08:05
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 08:05
Reported
2022-06-21 08:07
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YPM83N28OPX = "C:\\Program Files (x86)\\Mt8dt7b\\-zit_xuxt800.exe" | C:\Windows\SysWOW64\mstsc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rwooihhzlf = "C:\\Users\\Public\\Libraries\\flzhhioowR.url" | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Windows\Explorer.EXE |
| PID 960 set thread context of 2640 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Mt8dt7b\-zit_xuxt800.exe | C:\Windows\SysWOW64\mstsc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\mstsc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Rwooihhzlft.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\RwooihhzlfO.bat
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Users\Admin\AppData\Local\Temp\Order.exe
C:\Users\Admin\AppData\Local\Temp\Order.exe
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.42.13:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | jn1gja.dm.files.1drv.com | udp |
| US | 13.107.43.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.43.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 20.189.173.1:443 | tcp | |
| US | 8.8.8.8:53 | www.thensateam.com | udp |
| US | 34.102.136.180:80 | www.thensateam.com | tcp |
| US | 8.8.8.8:53 | www.alphabullsmint.site | udp |
| CY | 185.166.188.137:80 | www.alphabullsmint.site | tcp |
| US | 8.8.8.8:53 | www.savorytoys.com | udp |
| CA | 23.227.38.74:80 | www.savorytoys.com | tcp |
| US | 8.8.8.8:53 | www.matsu-den.net | udp |
| JP | 133.167.8.66:80 | www.matsu-den.net | tcp |
| GB | 92.123.140.25:80 | tcp | |
| US | 8.8.8.8:53 | www.solicitglobal.com | udp |
| HK | 154.213.224.48:80 | www.solicitglobal.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | www.velovitasnapit.com | udp |
| US | 34.102.136.180:80 | www.velovitasnapit.com | tcp |
| US | 8.8.8.8:53 | www.tenderstembroccoli.com | udp |
| FR | 217.70.184.50:80 | www.tenderstembroccoli.com | tcp |
| US | 8.8.8.8:53 | www.restauranteelcherro.com | udp |
| CA | 23.227.38.74:80 | www.restauranteelcherro.com | tcp |
| US | 8.8.8.8:53 | www.segawa-kensetu.com | udp |
| JP | 157.7.44.218:80 | www.segawa-kensetu.com | tcp |
| US | 8.8.8.8:53 | www.akretum.site | udp |
| NL | 185.174.172.74:80 | www.akretum.site | tcp |
| US | 8.8.8.8:53 | www.mcmcasting.com | udp |
| US | 192.64.119.186:80 | www.mcmcasting.com | tcp |
| US | 8.8.8.8:53 | www.designbybyte.com | udp |
| DE | 89.31.143.1:80 | www.designbybyte.com | tcp |
| US | 8.8.8.8:53 | www.hecsearc.com | udp |
| US | 162.0.223.36:80 | www.hecsearc.com | tcp |
| US | 8.8.8.8:53 | www.huyueyq.com | udp |
| US | 8.8.8.8:53 | www.huyueyq.com | udp |
| US | 8.8.8.8:53 | www.huyueyq.com | udp |
Files
memory/4044-140-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-141-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-142-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-143-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-145-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-146-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-147-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-144-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-148-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-150-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-151-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-149-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-152-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-153-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-155-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-154-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-156-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-157-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-158-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-160-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-159-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-161-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-162-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-164-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-165-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-163-0x0000000003940000-0x0000000003992000-memory.dmp
memory/3060-166-0x0000000000000000-mapping.dmp
C:\Users\Public\Libraries\Rwooihhzlft.bat
| MD5 | c2a5d88b8a980ad8d3c68e0f1fbfc8eb |
| SHA1 | 6de3fabebf01d06116079418cb2843949e311c01 |
| SHA256 | 0eeaa64d74922edce08e4cbe7ed752c8370ccb43f834bd4d9fa2c2be8eaf2bac |
| SHA512 | 8bb0e2e0728ea91b415e5dff5b8bb14288e1a5167a7ac10b50cbe2485f6cec833be1c6a6c6f988fabdca53528d1febfa847af7263f34dca10f5d0a37818acadd |
memory/2004-168-0x0000000000000000-mapping.dmp
C:\Users\Public\Libraries\RwooihhzlfO.bat
| MD5 | df48c09f243ebcc8a165f77a1c2bf889 |
| SHA1 | 455f7db0adcc2a58d006f1630fb0bd55cd868c07 |
| SHA256 | 4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca |
| SHA512 | 735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc |
memory/1244-170-0x0000000000000000-mapping.dmp
memory/1320-171-0x0000000000000000-mapping.dmp
C:\Users\Public\Libraries\Cdex.bat
| MD5 | 213c60adf1c9ef88dc3c9b2d579959d2 |
| SHA1 | e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021 |
| SHA256 | 37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e |
| SHA512 | fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7 |
memory/2520-173-0x0000000000000000-mapping.dmp
memory/2520-174-0x00000000027D0000-0x0000000002806000-memory.dmp
memory/2520-175-0x00000000050D0000-0x00000000056F8000-memory.dmp
memory/2520-176-0x0000000004E10000-0x0000000004E32000-memory.dmp
memory/2520-177-0x0000000004FB0000-0x0000000005016000-memory.dmp
memory/2520-178-0x0000000005020000-0x0000000005086000-memory.dmp
memory/2520-179-0x0000000005CB0000-0x0000000005CCE000-memory.dmp
memory/2520-180-0x0000000006250000-0x0000000006282000-memory.dmp
memory/2520-181-0x000000006FBD0000-0x000000006FC1C000-memory.dmp
memory/2520-182-0x0000000006230000-0x000000000624E000-memory.dmp
memory/2520-183-0x0000000007660000-0x0000000007CDA000-memory.dmp
memory/2520-184-0x0000000006EE0000-0x0000000006EFA000-memory.dmp
memory/2520-185-0x0000000007020000-0x000000000702A000-memory.dmp
memory/2520-186-0x0000000007210000-0x00000000072A6000-memory.dmp
memory/2520-187-0x00000000071D0000-0x00000000071DE000-memory.dmp
memory/2520-188-0x00000000072D0000-0x00000000072EA000-memory.dmp
memory/2520-189-0x00000000072C0000-0x00000000072C8000-memory.dmp
memory/4044-191-0x0000000010410000-0x000000001043B000-memory.dmp
memory/1924-192-0x0000000000000000-mapping.dmp
memory/4044-193-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-194-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-195-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-197-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-196-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-204-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-205-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-206-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-207-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-209-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-210-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-211-0x0000000003940000-0x0000000003992000-memory.dmp
memory/4044-208-0x0000000003940000-0x0000000003992000-memory.dmp
memory/1924-213-0x0000000010410000-0x000000001043B000-memory.dmp
memory/1924-214-0x00000000029A0000-0x0000000002CEA000-memory.dmp
memory/1924-215-0x00000000008B0000-0x00000000008C1000-memory.dmp
memory/2640-216-0x0000000009260000-0x00000000093DA000-memory.dmp
memory/960-217-0x0000000000000000-mapping.dmp
memory/4084-218-0x0000000000000000-mapping.dmp
memory/960-220-0x0000000000A20000-0x0000000000A4B000-memory.dmp
memory/960-219-0x00000000002A0000-0x00000000003DA000-memory.dmp
memory/960-221-0x00000000029C0000-0x0000000002D0A000-memory.dmp
memory/2640-223-0x0000000008B90000-0x0000000008C4D000-memory.dmp
memory/960-222-0x00000000027F0000-0x0000000002880000-memory.dmp
memory/960-224-0x0000000000A20000-0x0000000000A4B000-memory.dmp
memory/2640-225-0x0000000008B90000-0x0000000008C4D000-memory.dmp
memory/3440-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/1484-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 08:05
Reported
2022-06-21 08:07
Platform
win7-20220414-en
Max time kernel
127s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.42.13:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | jn1gja.dm.files.1drv.com | udp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | jn1gja.dm.files.1drv.com | tcp |
Files
memory/1836-54-0x0000000076421000-0x0000000076423000-memory.dmp