Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Order-940211730-pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Order-940211730-pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
kmnjg.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
kmnjg.exe
Resource
win10v2004-20241007-en
General
-
Target
Order-940211730-pdf.exe
-
Size
316KB
-
MD5
48f5cf7cce8a7c481bd42065f64cda06
-
SHA1
573b9f300a295e80c5d61f676b3cb847db5c9a17
-
SHA256
8469a2a0268409d60d0d78dec451e520796106f8920dd4476e8fac728d0cc9b9
-
SHA512
a56bf21244448ffc0bdfb72e047ab8c2eccab9fc1f56c3afcf1d5bbc11390b711fac8b826ec297d716ebdf779013a91c390d7587e0efa9473fb25c37346502ac
-
SSDEEP
6144:owzgftmXE/z/dijeNOetfxvsgPzIFXrIN1QXghMoMhkC:ofFrrNJfxvPPzIFMN1QXghMoMhkC
Malware Config
Extracted
xloader
2.5
nqs9
lgingood.com
shopgeti.com
christianuomo.com
sportsxuk.com
markidesignstore.com
tjhuoliao.com
docomobb.xyz
ilrespirodelmare.com
kfconline.rest
paramusrepair.com
w3zand.com
unguamtruppe.quest
bethesdagardensloveland.net
bostonstretchlimousine.com
yycsmj.net
creatorgela.com
bestalcoholfreebeer.com
jorgeforfr.com
dlzxd.com
rajaranicoupon.xyz
marnannyc.com
bettersalud.info
xn----etbdbfqj8aat.xn--p1acf
brandsagency.net
tradequy.net
farmaciacentral.online
portaal140.top
solacebooks.online
theroastercoaster.com
vanityandsanity.store
thediscoverytrail.com
comunidadpatriota.com
simplyall.xyz
db-propertygroup.com
mgav37.xyz
dwight.store
prosperityurgentcare.us
realbrother.net
shineshaft.website
just4beauty.store
zoosmash.com
paneiro.net
splitattherootfilm.com
waytokeiomed.com
allaroundlandscapingllc.com
pageants.xyz
amenosu.com
karamrentacar.com
dfgroup.tech
valdicolor.com
nu9gayde.xyz
bookfling.store
trimcatch.com
serbersa.com
richmondcambiemedicalclinic.com
claritydesignz.com
finlandfive.xyz
hgs777.com
mjfashionnz.com
pragunananda.com
donbicicleta.com
executeonpurpose.com
proteamstaxconsultancy.com
zmduk.com
thietketrantam.art
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/2696-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2696-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2696-19-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
pid Process 2856 kmnjg.exe 2696 kmnjg.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 Order-940211730-pdf.exe 2856 kmnjg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2856 set thread context of 2696 2856 kmnjg.exe 32 PID 2696 set thread context of 1184 2696 kmnjg.exe 21 PID 2696 set thread context of 1184 2696 kmnjg.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 796 1748 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kmnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order-940211730-pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2696 kmnjg.exe 2696 kmnjg.exe 2696 kmnjg.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2696 kmnjg.exe 2696 kmnjg.exe 2696 kmnjg.exe 2696 kmnjg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2696 kmnjg.exe Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE Token: SeShutdownPrivilege 1184 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2856 2692 Order-940211730-pdf.exe 30 PID 2692 wrote to memory of 2856 2692 Order-940211730-pdf.exe 30 PID 2692 wrote to memory of 2856 2692 Order-940211730-pdf.exe 30 PID 2692 wrote to memory of 2856 2692 Order-940211730-pdf.exe 30 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 2856 wrote to memory of 2696 2856 kmnjg.exe 32 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1184 wrote to memory of 1748 1184 Explorer.EXE 33 PID 1748 wrote to memory of 796 1748 msiexec.exe 34 PID 1748 wrote to memory of 796 1748 msiexec.exe 34 PID 1748 wrote to memory of 796 1748 msiexec.exe 34 PID 1748 wrote to memory of 796 1748 msiexec.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\kmnjg.exeC:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\kmnjg.exeC:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 2683⤵
- Program crash
PID:796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5d161975bcaf7cfd3de8dc4a37653c1d5
SHA1b5e61fb06c2fb114430d63f8cad1927d77993da0
SHA256c5c71f13e5bc6fbbb15b0660a962bd34d63f6cbcff17530bc48a9ab8cfa42a88
SHA512e89f413acf9e83bee249fdd3dd32ce6eae7bb9cb1889c65b7998bc432f966cc7d1d4e873403326dccdbdb4689e63abc8a4fbdc10a771ec8277783c73ae16660a
-
Filesize
211KB
MD53f9f5918baeecd565f401ab5af3b2d08
SHA1b62677d128241fa345cf44979294f55a7fcfde8c
SHA256c8b0d215336ad28fa42bb569e63f809c5006366d0a9030b7cb3399af6104003d
SHA51283043b15c08899334fb03b57c53761ab82120034a85e96facbe1ad168862a4b91db9a89cc552b0d10fce8feac39a9a2fdd9dc05bf20e4368fbdf2ce6c3e2680f
-
Filesize
170KB
MD553face3b36237ca409c4f8c277842fbe
SHA1bca858bff9d11ffc6c5772c01aceee84e52a8eec
SHA2568a4451db9a95c45c952c228c36d5976d5d9164077d6c9969f9206b6248963f81
SHA512813ea54c1b643f5f4222bb97f82a73bcc07c9fa3ae459a748936dcff810caf19cb9771e09035e13efc1bae0ad611647dad0862d9132adf92bf01abfa7e33e31f