Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20231215-en
General
-
Target
Order.exe
-
Size
1019KB
-
MD5
8035a8a6435078dafbc920a1ff224d57
-
SHA1
6596b759833a7580758634e75a878c387b21ff98
-
SHA256
8ff564a57fcca6daaa6319451c7ccb61537b02b513b8b262a5f76348b70d0287
-
SHA512
352f74524a9095f42999b307054c5a12fa372359e5d46b406f6718b4106506696ef07d8fd6fcba5443c89ae96bdb02a2c0df689f470088e5d3d79fb1bf8673a5
-
SSDEEP
24576:C8PGQ+EcKrvDBUgSniJNZSp9lcZUYuAl4KaGiRusf:62KgSiJNoTGuY6LGiRu
Malware Config
Extracted
xloader
2.3
uqf5
suiddock.com
sweetgyalshop.com
puterigarden.com
orangestoreusa.com
prostirkarpat.com
ajierfoods.com
mindlablearning.com
factiive.net
beautifulbrokenhearts.com
direcionalreservapraca.com
tvhoki.com
themoderncoachinstitute.com
classactionwalgreens.com
haloog.com
sachinkaushik.com
daleearnhardtjrchevyvip.com
disconight.net
ocyslibes.icu
encounterfy.com
infamoudpapertrail.com
familie-grenda.info
bekhcorp.com
xn--svafilesi-vpb.com
beijingqie9.icu
altctrlelite.com
shrikedata.com
yovome.com
ydwl3.com
shanmo456.com
joinkaisartoto88.net
kaaboodallas.com
fcirectt.com
vowelmagic.com
warungsuntik.com
fscute.com
wildwolfadventures.com
soarshipping.com
dawnbreakers-guild.com
kettleinn.com
cocomaxinc.com
myriskxchange.net
kennethspencer.com
fedspring.net
ashleyjordanoutlaws.com
yntykn.club
scimpachannel.com
twistedimagecustoms.com
meisterdesk.com
semanadosucesso.com
madameofmiami.com
inblackburnhamlet.com
floridawindscreen.com
pagebypaigephotography.com
rentgreenroom.com
abrosnm3.com
neuronitpro.com
shopromesempire.com
jstrobe.com
xfr-redcon.com
mieducaciondigital.com
orangemasters.com
screengriot.com
sam-mcdonald.net
wilderstead.life
southernhighlandsnails.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/2636-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2636-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3652-24-0x0000000000CB0000-0x0000000000CD9000-memory.dmp xloader behavioral2/memory/3652-26-0x0000000000CB0000-0x0000000000CD9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1472 set thread context of 2636 1472 Order.exe 100 PID 2636 set thread context of 3512 2636 Order.exe 63 PID 3652 set thread context of 3512 3652 raserver.exe 63 -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2636 Order.exe 2636 Order.exe 2636 Order.exe 2636 Order.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe 3652 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2636 Order.exe 2636 Order.exe 2636 Order.exe 3652 raserver.exe 3652 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2636 Order.exe Token: SeDebugPrivilege 3652 raserver.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3512 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 1472 wrote to memory of 2636 1472 Order.exe 100 PID 3512 wrote to memory of 3652 3512 Explorer.EXE 101 PID 3512 wrote to memory of 3652 3512 Explorer.EXE 101 PID 3512 wrote to memory of 3652 3512 Explorer.EXE 101 PID 3652 wrote to memory of 1840 3652 raserver.exe 102 PID 3652 wrote to memory of 1840 3652 raserver.exe 102 PID 3652 wrote to memory of 1840 3652 raserver.exe 102
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵PID:1840
-
-