Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20231215-en
General
-
Target
Order.exe
-
Size
1019KB
-
MD5
8035a8a6435078dafbc920a1ff224d57
-
SHA1
6596b759833a7580758634e75a878c387b21ff98
-
SHA256
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
-
SHA512
352f74524a9095f42999b307054c5a12fa372359e5d46b406f6718b4106506696ef07d8fd6fcba5443c89ae96bdb02a2c0df689f470088e5d3d79fb1bf8673a5
-
SSDEEP
24576:C8PGQ+EcKrvDBUgSniJNZSp9lcZUYuAl4KaGiRusf:62KgSiJNoTGuY6LGiRu
Malware Config
Extracted
xloader
2.3
uqf5
suiddock.com
sweetgyalshop.com
puterigarden.com
orangestoreusa.com
prostirkarpat.com
ajierfoods.com
mindlablearning.com
factiive.net
beautifulbrokenhearts.com
direcionalreservapraca.com
tvhoki.com
themoderncoachinstitute.com
classactionwalgreens.com
haloog.com
sachinkaushik.com
daleearnhardtjrchevyvip.com
disconight.net
ocyslibes.icu
encounterfy.com
infamoudpapertrail.com
familie-grenda.info
bekhcorp.com
xn--svafilesi-vpb.com
beijingqie9.icu
altctrlelite.com
shrikedata.com
yovome.com
ydwl3.com
shanmo456.com
joinkaisartoto88.net
kaaboodallas.com
fcirectt.com
vowelmagic.com
warungsuntik.com
fscute.com
wildwolfadventures.com
soarshipping.com
dawnbreakers-guild.com
kettleinn.com
cocomaxinc.com
myriskxchange.net
kennethspencer.com
fedspring.net
ashleyjordanoutlaws.com
yntykn.club
scimpachannel.com
twistedimagecustoms.com
meisterdesk.com
semanadosucesso.com
madameofmiami.com
inblackburnhamlet.com
floridawindscreen.com
pagebypaigephotography.com
rentgreenroom.com
abrosnm3.com
neuronitpro.com
shopromesempire.com
jstrobe.com
xfr-redcon.com
mieducaciondigital.com
orangemasters.com
screengriot.com
sam-mcdonald.net
wilderstead.life
southernhighlandsnails.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/768-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/768-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2556-22-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/2556-24-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 2912 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2208 set thread context of 768 2208 Order.exe 30 PID 768 set thread context of 1208 768 Order.exe 10 PID 2556 set thread context of 1208 2556 cmmon32.exe 10 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 768 Order.exe 768 Order.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe 2556 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 768 Order.exe 768 Order.exe 768 Order.exe 2556 cmmon32.exe 2556 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 768 Order.exe Token: SeDebugPrivilege 2556 cmmon32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 2208 wrote to memory of 768 2208 Order.exe 30 PID 1208 wrote to memory of 2556 1208 Explorer.EXE 31 PID 1208 wrote to memory of 2556 1208 Explorer.EXE 31 PID 1208 wrote to memory of 2556 1208 Explorer.EXE 31 PID 1208 wrote to memory of 2556 1208 Explorer.EXE 31 PID 2556 wrote to memory of 2912 2556 cmmon32.exe 32 PID 2556 wrote to memory of 2912 2556 cmmon32.exe 32 PID 2556 wrote to memory of 2912 2556 cmmon32.exe 32 PID 2556 wrote to memory of 2912 2556 cmmon32.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵
- Deletes itself
PID:2912
-
-