Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Order 2021-600918.js
Resource
win7-20240729-en
General
-
Target
Order 2021-600918.js
-
Size
311KB
-
MD5
f875ce20d9473d5dd74d2e0382fb32ba
-
SHA1
a9b75554d7cb9eae3f06c2b9f3b7cf60617b32d8
-
SHA256
b71e66c2f3dd88356df6c1bb0cab806156e91bed324c376b45cae58ce051ceff
-
SHA512
1eccb095f0bd41fb28879a726d8257b3a30cc487efa33fe24f2be2899596ee99bc54179d7003493aec50e55f6e6beac77616a9a8d9c3d80e4cb4a0244c33c4fe
-
SSDEEP
6144:X/Rfo2A0XbJtYp+JPNqRvhQoACsix01v8sPgMBZe9c/slHWiqIWvfQwc:mkFtYwPNqRGrCG9rYML/FjvI
Malware Config
Extracted
xloader
2.3
wqos
nobis.one
firecrestfineart.com
zhongqiaolw.com
healthcaremovement.com
amothersloveliberates.com
maskscafe.com
dkukkmk.icu
realmindofmitch.com
cranes-crossing.com
deeplyrootedplants.com
doodlesbakery.com
xiaomagu.com
lactase-enzym.com
comprartecnologia.com
making-my-new-normal.com
ruksamin.com
inforko.com
2mblueprint.com
pinkfang.com
100daysofbush.com
facesculptor3d.com
imdistel.com
vaagencyblueprint.com
ssdigreater.info
lklool.com
robinsrevenge.com
lescoquelicots.paris
mysticandmagician.com
powersmoney.com
baincot3.com
goodlink4freewares.info
assuredbc.com
drsergegauthier.com
esp-mask.com
riadepot.com
uresource.net
blacktielabs.com
hadobit.com
francesjmelhop.com
shansshield.com
justinhighland.com
rixoro.com
lnhujiaoqi.com
menteemethods.com
xn--3ds641adrtfpb.com
sodomytv.com
pkd.xyz
flagi.expert
smartbusiness-31.com
holisticwellnessbyheta.com
xldd0818m75imv22.xyz
studiespullen.club
drheatherbluemel.com
villalacchini.com
eightiestheultimatedecade.com
balkanum.com
thetexthub.com
computoyservicio.com
goghostcbd.com
theartisty.com
7967299.com
2084software.com
everbignt.com
westlakehillsdental.com
shdbwl188.com
Signatures
-
Vjw0rm family
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000018766-8.dat xloader behavioral1/memory/2944-14-0x0000000000BA0000-0x0000000000BC8000-memory.dmp xloader behavioral1/memory/2224-21-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zIMOUAQYhg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zIMOUAQYhg.js wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2944 bin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\zIMOUAQYhg.js\"" wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2944 set thread context of 1284 2944 bin.exe 21 PID 2944 set thread context of 1284 2944 bin.exe 21 PID 2224 set thread context of 1284 2224 wininit.exe 21 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2944 bin.exe 2944 bin.exe 2944 bin.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe 2224 wininit.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2944 bin.exe 2944 bin.exe 2944 bin.exe 2944 bin.exe 2224 wininit.exe 2224 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 bin.exe Token: SeDebugPrivilege 2224 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2160 1760 wscript.exe 30 PID 1760 wrote to memory of 2160 1760 wscript.exe 30 PID 1760 wrote to memory of 2160 1760 wscript.exe 30 PID 1760 wrote to memory of 2944 1760 wscript.exe 31 PID 1760 wrote to memory of 2944 1760 wscript.exe 31 PID 1760 wrote to memory of 2944 1760 wscript.exe 31 PID 1760 wrote to memory of 2944 1760 wscript.exe 31 PID 2944 wrote to memory of 2224 2944 bin.exe 34 PID 2944 wrote to memory of 2224 2944 bin.exe 34 PID 2944 wrote to memory of 2224 2944 bin.exe 34 PID 2944 wrote to memory of 2224 2944 bin.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order 2021-600918.js"2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zIMOUAQYhg.js"3⤵
- Drops startup file
- Adds Run key to start application
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD563f3a93c472be113725e951e40696642
SHA115477f7333a4ad56227bc61049c5eb5451ac73c7
SHA25692e653a855a5495cc862ed79ee39aa6620b9b0b08948e89f866b07debba1b2f8
SHA512c155c01b90f80ab7125138e79a03a07b3699a00d1953653a00ac2f29d06d496bc9633119f3885f36f615313630cd1283822b12f38d7446a698b430584e238549
-
Filesize
9KB
MD5797f97b46b0f42d7a26810b7b2e04cc9
SHA1141b0a609e3fe9e4695ad0dfd905be24414287ab
SHA2562a15292e70c7b6edbfb44ae1347debf9ab31bb3296b7cd3619fda0f9abf0d89d
SHA512c5173a980edc2230d9673e2c5729b6829c4130e80a14eb7efd7f0e41bc5a3f01b559fb67b5be191e0a309f0b04abf2c52b632e873307471569a07f995774a27d