Analysis
-
max time kernel
81s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20231215-en
General
-
Target
Order.exe
-
Size
1019KB
-
MD5
8035a8a6435078dafbc920a1ff224d57
-
SHA1
6596b759833a7580758634e75a878c387b21ff98
-
SHA256
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
-
SHA512
352f74524a9095f42999b307054c5a12fa372359e5d46b406f6718b4106506696ef07d8fd6fcba5443c89ae96bdb02a2c0df689f470088e5d3d79fb1bf8673a5
-
SSDEEP
24576:C8PGQ+EcKrvDBUgSniJNZSp9lcZUYuAl4KaGiRusf:62KgSiJNoTGuY6LGiRu
Malware Config
Extracted
xloader
2.3
uqf5
suiddock.com
sweetgyalshop.com
puterigarden.com
orangestoreusa.com
prostirkarpat.com
ajierfoods.com
mindlablearning.com
factiive.net
beautifulbrokenhearts.com
direcionalreservapraca.com
tvhoki.com
themoderncoachinstitute.com
classactionwalgreens.com
haloog.com
sachinkaushik.com
daleearnhardtjrchevyvip.com
disconight.net
ocyslibes.icu
encounterfy.com
infamoudpapertrail.com
familie-grenda.info
bekhcorp.com
xn--svafilesi-vpb.com
beijingqie9.icu
altctrlelite.com
shrikedata.com
yovome.com
ydwl3.com
shanmo456.com
joinkaisartoto88.net
kaaboodallas.com
fcirectt.com
vowelmagic.com
warungsuntik.com
fscute.com
wildwolfadventures.com
soarshipping.com
dawnbreakers-guild.com
kettleinn.com
cocomaxinc.com
myriskxchange.net
kennethspencer.com
fedspring.net
ashleyjordanoutlaws.com
yntykn.club
scimpachannel.com
twistedimagecustoms.com
meisterdesk.com
semanadosucesso.com
madameofmiami.com
inblackburnhamlet.com
floridawindscreen.com
pagebypaigephotography.com
rentgreenroom.com
abrosnm3.com
neuronitpro.com
shopromesempire.com
jstrobe.com
xfr-redcon.com
mieducaciondigital.com
orangemasters.com
screengriot.com
sam-mcdonald.net
wilderstead.life
southernhighlandsnails.com
Signatures
-
Xloader payload 5 IoCs
resource yara_rule behavioral2/memory/3320-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3320-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3320-22-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3960-27-0x00000000002E0000-0x0000000000309000-memory.dmp xloader behavioral2/memory/3960-29-0x00000000002E0000-0x0000000000309000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2752 set thread context of 3320 2752 Order.exe 103 PID 3320 set thread context of 3392 3320 Order.exe 48 PID 3320 set thread context of 3392 3320 Order.exe 48 PID 3960 set thread context of 3392 3960 control.exe 48 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3320 Order.exe 3320 Order.exe 3320 Order.exe 3320 Order.exe 3320 Order.exe 3320 Order.exe 3960 control.exe 3960 control.exe 3960 control.exe 3960 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3320 Order.exe 3320 Order.exe 3320 Order.exe 3320 Order.exe 3960 control.exe 3960 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3320 Order.exe Token: SeDebugPrivilege 3960 control.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 2752 wrote to memory of 3320 2752 Order.exe 103 PID 3392 wrote to memory of 3960 3392 Explorer.EXE 104 PID 3392 wrote to memory of 3960 3392 Explorer.EXE 104 PID 3392 wrote to memory of 3960 3392 Explorer.EXE 104 PID 3960 wrote to memory of 4188 3960 control.exe 106 PID 3960 wrote to memory of 4188 3960 control.exe 106 PID 3960 wrote to memory of 4188 3960 control.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵PID:4188
-
-