Analysis Overview
SHA256
be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117
Threat Level: Known bad
The file be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader family
Xloader payload
Deletes itself
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 19:51
Reported
2024-11-21 19:54
Platform
win7-20240903-en
Max time kernel
147s
Max time network
119s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2768 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Users\Admin\AppData\Local\Temp\New Order.exe |
| PID 2964 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Windows\Explorer.EXE |
| PID 2964 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Windows\Explorer.EXE |
| PID 2644 set thread context of 1200 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi5D9B.tmp\System.dll
| MD5 | 56a321bd011112ec5d8a32b2f6fd3231 |
| SHA1 | df20e3a35a1636de64df5290ae5e4e7572447f78 |
| SHA256 | bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1 |
| SHA512 | 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3 |
memory/2964-11-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2964-13-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1200-14-0x0000000004EF0000-0x0000000004FBF000-memory.dmp
memory/2964-16-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1200-17-0x0000000004EF0000-0x0000000004FBF000-memory.dmp
memory/1200-18-0x0000000007750000-0x0000000007869000-memory.dmp
memory/2644-21-0x0000000000560000-0x00000000007E1000-memory.dmp
memory/2644-23-0x0000000000560000-0x00000000007E1000-memory.dmp
memory/2644-24-0x00000000000C0000-0x00000000000E8000-memory.dmp
memory/1200-25-0x0000000007750000-0x0000000007869000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 19:51
Reported
2024-11-21 19:54
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
142s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\New Order.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Order.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4360 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Users\Admin\AppData\Local\Temp\New Order.exe |
| PID 4360 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Users\Admin\AppData\Local\Temp\New Order.exe |
| PID 4360 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\New Order.exe | C:\Users\Admin\AppData\Local\Temp\New Order.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4360 -ip 4360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 924
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nslC768.tmp\System.dll
| MD5 | 56a321bd011112ec5d8a32b2f6fd3231 |
| SHA1 | df20e3a35a1636de64df5290ae5e4e7572447f78 |
| SHA256 | bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1 |
| SHA512 | 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 19:51
Reported
2024-11-21 19:54
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 19:51
Reported
2024-11-21 19:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 716 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 716 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 716 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |