Overview

overview

10

Static

static

3

New Order.exe

windows7-x64

10

New Order.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    200KB

  • MD5

    9b4f723dbb86d64168d8347abc60f232

  • SHA1

    6bb06b4992e8212ad8eb82ef6dbe96039508680a

  • SHA256

    688ac6f12f6c5e6342e8a357aa09f94a35000967c391c17d7264fca65098600a

  • SHA512

    5330fbbe2312a6bfa050907cc1b67f00aefdf32cfb671c956fdea6411ac6623fa9352472d942c3f3eb9dddc3908ac4024908b0276e15df773835cc9828a769e2

  • SSDEEP

    6144:QBlL/3Ym6NjZ1ZIRwHugFHe/HUiqcVMvTX:iVp6TfbOgF+ZDML

Score
10/10
xloaderiaopdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

iaop

Decoy

fullcontrolsystems.com

shoptherevelle.com

strongpod.school

carthechconstruction.com

zaniherballife.com

pioneerlynn.com

37house.net

tuckahoeplantationlivestock.com

13053776999.com

aax1688.com

colonialservices.net

durango.xyz

bfncdn.com

gabrielgarnica.net

stilemilano.com

triportinc.com

shilparajan.com

singlebuck.com

learn2pmp.com

stgwxq.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Local\Temp\New Order.exe
        "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nst345A.tmp\System.dll
    Filesize

    10KB

    MD5

    56a321bd011112ec5d8a32b2f6fd3231

    SHA1

    df20e3a35a1636de64df5290ae5e4e7572447f78

    SHA256

    bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

    SHA512

    5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

    Download Submit

  • memory/1188-14-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1188-15-0x0000000002B00000-0x0000000002BC3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/1188-22-0x0000000002B00000-0x0000000002BC3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2756-11-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2756-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2808-18-0x0000000000890000-0x00000000008AF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2808-20-0x0000000000890000-0x00000000008AF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2808-21-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB

    Download