Analysis
-
max time kernel
17s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
Sales Order.exe
Resource
win7-20231215-en
General
-
Target
Sales Order.exe
-
Size
1014KB
-
MD5
fd84eb337a51966294ba08722170bf46
-
SHA1
1f529d60e2dc50deaac59af322708039da33c3be
-
SHA256
8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701
-
SHA512
a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847
-
SSDEEP
12288:rFhlsU1cTDO+emag5IFyPK7yMmeP1vwdyAook1GZEUFA1Vk82C867LiuNyxv2AdU:rFhlXcOyeL3JStX+PbLk2QHQ
Malware Config
Extracted
xloader
2.3
p6f2
redsnews.com
vr859.com
postmasterstudios.com
hampsteadorganizer.com
hangshop.net
maheshwaramlawcollege.com
5156087.com
gtaaddict.com
faj.xyz
drivechicagoillinois.com
neerutech.com
b2brahmas.com
freshlookks.com
propertyparallel.tech
tlwbyads.com
sellektorkids.com
dexs.fyi
kileybrock.com
nervstudio.com
tosg-ltd.com
admibd.com
hilariousfakenews.com
lub-additive.com
securecloudinfo.com
xn--jde.com
andtheskywentred.com
nearestgreenbeverage.net
tipthemusician.com
koziolwojciech.com
ryosecurity.com
cosypromotion.com
qvvn.life
emcelt.com
ersatzair.com
blassmail.online
florianlecerf.com
shannonsmithcounseling.com
litorin.com
plusproduce.net
sandersonfarnns.com
medicservic.com
mostmegaproductions.com
eldorado88casino.com
hordlife.com
drgunjankumaribhagwat.com
iregentos.info
lifeonprimroselane.com
playstoreaddps.com
anacquiredtastepodcast.com
chinachaohuo.com
xn--80aafif4agv1ai.xn--p1acf
flmoisture.com
framebooth.net
wildhare.media
1000praises.com
tna.zone
kravmagatacticalacademy.com
jasonwang.online
suruyorum.com
concretepill.com
alfarouqco.com
reliefpaypal.com
xn--fujtherma-xpb.com
petgsafetyseal.com
jantesetaccessoires.com
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/3176-9-0x0000000005B00000-0x0000000005B16000-memory.dmp family_zgrat_v1 -
Xloader payload 5 IoCs
resource yara_rule behavioral2/memory/2628-10-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2628-15-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2628-19-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1956-24-0x0000000001080000-0x00000000010A8000-memory.dmp xloader behavioral2/memory/1956-26-0x0000000001080000-0x00000000010A8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3176 set thread context of 2628 3176 Sales Order.exe 22 PID 2628 set thread context of 3364 2628 Sales Order.exe 50 PID 2628 set thread context of 3364 2628 Sales Order.exe 50 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1956 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 1956 NETSTAT.EXE 1956 NETSTAT.EXE 1956 NETSTAT.EXE 1956 NETSTAT.EXE 1956 NETSTAT.EXE 1956 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 2628 Sales Order.exe 1956 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2628 Sales Order.exe Token: SeDebugPrivilege 1956 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 3176 wrote to memory of 2628 3176 Sales Order.exe 22 PID 2628 wrote to memory of 1956 2628 Sales Order.exe 101 PID 2628 wrote to memory of 1956 2628 Sales Order.exe 101 PID 2628 wrote to memory of 1956 2628 Sales Order.exe 101 PID 1956 wrote to memory of 1792 1956 NETSTAT.EXE 100 PID 1956 wrote to memory of 1792 1956 NETSTAT.EXE 100 PID 1956 wrote to memory of 1792 1956 NETSTAT.EXE 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"3⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"1⤵PID:1792