Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20231215-en
General
-
Target
Order.exe
-
Size
1019KB
-
MD5
8035a8a6435078dafbc920a1ff224d57
-
SHA1
6596b759833a7580758634e75a878c387b21ff98
-
SHA256
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
-
SHA512
352f74524a9095f42999b307054c5a12fa372359e5d46b406f6718b4106506696ef07d8fd6fcba5443c89ae96bdb02a2c0df689f470088e5d3d79fb1bf8673a5
-
SSDEEP
24576:C8PGQ+EcKrvDBUgSniJNZSp9lcZUYuAl4KaGiRusf:62KgSiJNoTGuY6LGiRu
Malware Config
Extracted
xloader
2.3
uqf5
suiddock.com
sweetgyalshop.com
puterigarden.com
orangestoreusa.com
prostirkarpat.com
ajierfoods.com
mindlablearning.com
factiive.net
beautifulbrokenhearts.com
direcionalreservapraca.com
tvhoki.com
themoderncoachinstitute.com
classactionwalgreens.com
haloog.com
sachinkaushik.com
daleearnhardtjrchevyvip.com
disconight.net
ocyslibes.icu
encounterfy.com
infamoudpapertrail.com
familie-grenda.info
bekhcorp.com
xn--svafilesi-vpb.com
beijingqie9.icu
altctrlelite.com
shrikedata.com
yovome.com
ydwl3.com
shanmo456.com
joinkaisartoto88.net
kaaboodallas.com
fcirectt.com
vowelmagic.com
warungsuntik.com
fscute.com
wildwolfadventures.com
soarshipping.com
dawnbreakers-guild.com
kettleinn.com
cocomaxinc.com
myriskxchange.net
kennethspencer.com
fedspring.net
ashleyjordanoutlaws.com
yntykn.club
scimpachannel.com
twistedimagecustoms.com
meisterdesk.com
semanadosucesso.com
madameofmiami.com
inblackburnhamlet.com
floridawindscreen.com
pagebypaigephotography.com
rentgreenroom.com
abrosnm3.com
neuronitpro.com
shopromesempire.com
jstrobe.com
xfr-redcon.com
mieducaciondigital.com
orangemasters.com
screengriot.com
sam-mcdonald.net
wilderstead.life
southernhighlandsnails.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/2648-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2648-17-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2124-22-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/2124-24-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 112 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2540 set thread context of 2648 2540 Order.exe 30 PID 2648 set thread context of 1196 2648 Order.exe 18 PID 2124 set thread context of 1196 2124 NETSTAT.EXE 18 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2124 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2648 Order.exe 2648 Order.exe 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE 2124 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2648 Order.exe 2648 Order.exe 2648 Order.exe 2124 NETSTAT.EXE 2124 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 Order.exe Token: SeDebugPrivilege 2124 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 2540 wrote to memory of 2648 2540 Order.exe 30 PID 1196 wrote to memory of 2124 1196 Explorer.EXE 32 PID 1196 wrote to memory of 2124 1196 Explorer.EXE 32 PID 1196 wrote to memory of 2124 1196 Explorer.EXE 32 PID 1196 wrote to memory of 2124 1196 Explorer.EXE 32 PID 2124 wrote to memory of 112 2124 NETSTAT.EXE 33 PID 2124 wrote to memory of 112 2124 NETSTAT.EXE 33 PID 2124 wrote to memory of 112 2124 NETSTAT.EXE 33 PID 2124 wrote to memory of 112 2124 NETSTAT.EXE 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2500
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵
- Deletes itself
PID:112
-
-