Malware Analysis Report

2025-08-05 13:52

Sample ID 220621-jyts9scchn
Target Order.exe
SHA256 d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5
Tags
modiloader xloader ne5f loader persistence rat spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5

Threat Level: Known bad

The file Order.exe was found to be: Known bad.

Malicious Activity Summary

modiloader xloader ne5f loader persistence rat spyware stealer suricata trojan

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader

ModiLoader, DBatLoader

Xloader Payload

ModiLoader Second Stage

Adds policy Run key to start application

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 08:05

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 08:05

Reported

2022-06-21 08:07

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

ModiLoader, DBatLoader

trojan modiloader

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\mstsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YPM83N28OPX = "C:\\Program Files (x86)\\Mt8dt7b\\-zit_xuxt800.exe" C:\Windows\SysWOW64\mstsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rwooihhzlf = "C:\\Users\\Public\\Libraries\\flzhhioowR.url" C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1924 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\Explorer.EXE
PID 960 set thread context of 2640 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mt8dt7b\-zit_xuxt800.exe C:\Windows\SysWOW64\mstsc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\mstsc.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\cmd.exe
PID 4044 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1244 wrote to memory of 1320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1244 wrote to memory of 1320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1244 wrote to memory of 1320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2004 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 4044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 2640 wrote to memory of 960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 2640 wrote to memory of 960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 2640 wrote to memory of 960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 960 wrote to memory of 4084 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 4084 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 4084 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 3440 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 3440 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 3440 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1484 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1484 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1484 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 952 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 960 wrote to memory of 952 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 960 wrote to memory of 952 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Order.exe

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Rwooihhzlft.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\RwooihhzlfO.bat

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Users\Admin\AppData\Local\Temp\Order.exe

C:\Users\Admin\AppData\Local\Temp\Order.exe

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.42.13:443 onedrive.live.com tcp
US 8.8.8.8:53 jn1gja.dm.files.1drv.com udp
US 13.107.43.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.43.12:443 jn1gja.dm.files.1drv.com tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 www.thensateam.com udp
US 34.102.136.180:80 www.thensateam.com tcp
US 8.8.8.8:53 www.alphabullsmint.site udp
CY 185.166.188.137:80 www.alphabullsmint.site tcp
US 8.8.8.8:53 www.savorytoys.com udp
CA 23.227.38.74:80 www.savorytoys.com tcp
US 8.8.8.8:53 www.matsu-den.net udp
JP 133.167.8.66:80 www.matsu-den.net tcp
GB 92.123.140.25:80 tcp
US 8.8.8.8:53 www.solicitglobal.com udp
HK 154.213.224.48:80 www.solicitglobal.com tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 www.velovitasnapit.com udp
US 34.102.136.180:80 www.velovitasnapit.com tcp
US 8.8.8.8:53 www.tenderstembroccoli.com udp
FR 217.70.184.50:80 www.tenderstembroccoli.com tcp
US 8.8.8.8:53 www.restauranteelcherro.com udp
CA 23.227.38.74:80 www.restauranteelcherro.com tcp
US 8.8.8.8:53 www.segawa-kensetu.com udp
JP 157.7.44.218:80 www.segawa-kensetu.com tcp
US 8.8.8.8:53 www.akretum.site udp
NL 185.174.172.74:80 www.akretum.site tcp
US 8.8.8.8:53 www.mcmcasting.com udp
US 192.64.119.186:80 www.mcmcasting.com tcp
US 8.8.8.8:53 www.designbybyte.com udp
DE 89.31.143.1:80 www.designbybyte.com tcp
US 8.8.8.8:53 www.hecsearc.com udp
US 162.0.223.36:80 www.hecsearc.com tcp
US 8.8.8.8:53 www.huyueyq.com udp
US 8.8.8.8:53 www.huyueyq.com udp
US 8.8.8.8:53 www.huyueyq.com udp

Files

memory/4044-140-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-141-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-142-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-143-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-145-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-146-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-147-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-144-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-148-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-150-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-151-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-149-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-152-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-153-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-155-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-154-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-156-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-157-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-158-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-160-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-159-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-161-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-162-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-164-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-165-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-163-0x0000000003940000-0x0000000003992000-memory.dmp

memory/3060-166-0x0000000000000000-mapping.dmp

C:\Users\Public\Libraries\Rwooihhzlft.bat

MD5 c2a5d88b8a980ad8d3c68e0f1fbfc8eb
SHA1 6de3fabebf01d06116079418cb2843949e311c01
SHA256 0eeaa64d74922edce08e4cbe7ed752c8370ccb43f834bd4d9fa2c2be8eaf2bac
SHA512 8bb0e2e0728ea91b415e5dff5b8bb14288e1a5167a7ac10b50cbe2485f6cec833be1c6a6c6f988fabdca53528d1febfa847af7263f34dca10f5d0a37818acadd

memory/2004-168-0x0000000000000000-mapping.dmp

C:\Users\Public\Libraries\RwooihhzlfO.bat

MD5 df48c09f243ebcc8a165f77a1c2bf889
SHA1 455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA256 4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512 735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

memory/1244-170-0x0000000000000000-mapping.dmp

memory/1320-171-0x0000000000000000-mapping.dmp

C:\Users\Public\Libraries\Cdex.bat

MD5 213c60adf1c9ef88dc3c9b2d579959d2
SHA1 e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA256 37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512 fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

memory/2520-173-0x0000000000000000-mapping.dmp

memory/2520-174-0x00000000027D0000-0x0000000002806000-memory.dmp

memory/2520-175-0x00000000050D0000-0x00000000056F8000-memory.dmp

memory/2520-176-0x0000000004E10000-0x0000000004E32000-memory.dmp

memory/2520-177-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/2520-178-0x0000000005020000-0x0000000005086000-memory.dmp

memory/2520-179-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

memory/2520-180-0x0000000006250000-0x0000000006282000-memory.dmp

memory/2520-181-0x000000006FBD0000-0x000000006FC1C000-memory.dmp

memory/2520-182-0x0000000006230000-0x000000000624E000-memory.dmp

memory/2520-183-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/2520-184-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

memory/2520-185-0x0000000007020000-0x000000000702A000-memory.dmp

memory/2520-186-0x0000000007210000-0x00000000072A6000-memory.dmp

memory/2520-187-0x00000000071D0000-0x00000000071DE000-memory.dmp

memory/2520-188-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/2520-189-0x00000000072C0000-0x00000000072C8000-memory.dmp

memory/4044-191-0x0000000010410000-0x000000001043B000-memory.dmp

memory/1924-192-0x0000000000000000-mapping.dmp

memory/4044-193-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-194-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-195-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-197-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-196-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-204-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-205-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-206-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-207-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-209-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-210-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-211-0x0000000003940000-0x0000000003992000-memory.dmp

memory/4044-208-0x0000000003940000-0x0000000003992000-memory.dmp

memory/1924-213-0x0000000010410000-0x000000001043B000-memory.dmp

memory/1924-214-0x00000000029A0000-0x0000000002CEA000-memory.dmp

memory/1924-215-0x00000000008B0000-0x00000000008C1000-memory.dmp

memory/2640-216-0x0000000009260000-0x00000000093DA000-memory.dmp

memory/960-217-0x0000000000000000-mapping.dmp

memory/4084-218-0x0000000000000000-mapping.dmp

memory/960-220-0x0000000000A20000-0x0000000000A4B000-memory.dmp

memory/960-219-0x00000000002A0000-0x00000000003DA000-memory.dmp

memory/960-221-0x00000000029C0000-0x0000000002D0A000-memory.dmp

memory/2640-223-0x0000000008B90000-0x0000000008C4D000-memory.dmp

memory/960-222-0x00000000027F0000-0x0000000002880000-memory.dmp

memory/960-224-0x0000000000A20000-0x0000000000A4B000-memory.dmp

memory/2640-225-0x0000000008B90000-0x0000000008C4D000-memory.dmp

memory/3440-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/1484-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 08:05

Reported

2022-06-21 08:07

Platform

win7-20220414-en

Max time kernel

127s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Order.exe

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.42.13:443 onedrive.live.com tcp
US 8.8.8.8:53 jn1gja.dm.files.1drv.com udp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp
US 13.107.42.12:443 jn1gja.dm.files.1drv.com tcp

Files

memory/1836-54-0x0000000076421000-0x0000000076423000-memory.dmp