Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
Sales Order.exe
Resource
win7-20231215-en
General
-
Target
Sales Order.exe
-
Size
1014KB
-
MD5
fd84eb337a51966294ba08722170bf46
-
SHA1
1f529d60e2dc50deaac59af322708039da33c3be
-
SHA256
8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701
-
SHA512
a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847
-
SSDEEP
12288:rFhlsU1cTDO+emag5IFyPK7yMmeP1vwdyAook1GZEUFA1Vk82C867LiuNyxv2AdU:rFhlXcOyeL3JStX+PbLk2QHQ
Malware Config
Extracted
xloader
2.3
p6f2
redsnews.com
vr859.com
postmasterstudios.com
hampsteadorganizer.com
hangshop.net
maheshwaramlawcollege.com
5156087.com
gtaaddict.com
faj.xyz
drivechicagoillinois.com
neerutech.com
b2brahmas.com
freshlookks.com
propertyparallel.tech
tlwbyads.com
sellektorkids.com
dexs.fyi
kileybrock.com
nervstudio.com
tosg-ltd.com
admibd.com
hilariousfakenews.com
lub-additive.com
securecloudinfo.com
xn--jde.com
andtheskywentred.com
nearestgreenbeverage.net
tipthemusician.com
koziolwojciech.com
ryosecurity.com
cosypromotion.com
qvvn.life
emcelt.com
ersatzair.com
blassmail.online
florianlecerf.com
shannonsmithcounseling.com
litorin.com
plusproduce.net
sandersonfarnns.com
medicservic.com
mostmegaproductions.com
eldorado88casino.com
hordlife.com
drgunjankumaribhagwat.com
iregentos.info
lifeonprimroselane.com
playstoreaddps.com
anacquiredtastepodcast.com
chinachaohuo.com
xn--80aafif4agv1ai.xn--p1acf
flmoisture.com
framebooth.net
wildhare.media
1000praises.com
tna.zone
kravmagatacticalacademy.com
jasonwang.online
suruyorum.com
concretepill.com
alfarouqco.com
reliefpaypal.com
xn--fujtherma-xpb.com
petgsafetyseal.com
jantesetaccessoires.com
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2184-4-0x0000000000440000-0x0000000000456000-memory.dmp family_zgrat_v1 -
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/2712-9-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2712-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2588-19-0x00000000000D0000-0x00000000000F8000-memory.dmp xloader behavioral1/memory/2588-21-0x00000000000D0000-0x00000000000F8000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2184 set thread context of 2712 2184 Sales Order.exe 28 PID 2712 set thread context of 1384 2712 Sales Order.exe 11 PID 2588 set thread context of 1384 2588 mstsc.exe 11 -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2712 Sales Order.exe 2712 Sales Order.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2712 Sales Order.exe 2712 Sales Order.exe 2712 Sales Order.exe 2588 mstsc.exe 2588 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 Sales Order.exe Token: SeDebugPrivilege 2588 mstsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 2184 wrote to memory of 2712 2184 Sales Order.exe 28 PID 1384 wrote to memory of 2588 1384 Explorer.EXE 29 PID 1384 wrote to memory of 2588 1384 Explorer.EXE 29 PID 1384 wrote to memory of 2588 1384 Explorer.EXE 29 PID 1384 wrote to memory of 2588 1384 Explorer.EXE 29 PID 2588 wrote to memory of 2616 2588 mstsc.exe 30 PID 2588 wrote to memory of 2616 2588 mstsc.exe 30 PID 2588 wrote to memory of 2616 2588 mstsc.exe 30 PID 2588 wrote to memory of 2616 2588 mstsc.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"3⤵
- Deletes itself
PID:2616
-
-