| File name: | orden pdf.exe.xz |
| Full analysis: | https://app.any.run/tasks/db202010-f3d1-4e5a-869b-719de66a38de |
| Verdict: | Malicious activity |
| Threats: | DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment. |
| Analysis date: | November 09, 2023, 17:02:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-xz |
| File info: | XZ compressed data |
| MD5: | 6973B8D8C1EF6685A8AD6104C73F699C |
| SHA1: | CF36F278A21A5F6CD51F3E1E104C1D420766CB9E |
| SHA256: | F82037F59D0268B8B326E25D15617A3E485A22CE636FCF21999C715378D60777 |
| SSDEEP: | 98304:rD3PvkkWXYAaMM1jas7iaWZIs3wXSVr5IN5XhS/k1R/B/VnOS8UJN57G2FKn03Nv:zTrH |
MALICIOUS
DBATLOADER has been detected (YARA)
- orden pdf.exe (PID: 3544)
Drops the executable file immediately after the start
- orden pdf.exe (PID: 3544)
SUSPICIOUS
Reads settings of System Certificates
- orden pdf.exe (PID: 3544)
Reads the Internet Settings
- orden pdf.exe (PID: 3544)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 3240)
- orden pdf.exe (PID: 3544)
- wmpnscfg.exe (PID: 3632)
Checks supported languages
- wmpnscfg.exe (PID: 3240)
- orden pdf.exe (PID: 3544)
- wmpnscfg.exe (PID: 3632)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3240)
- orden pdf.exe (PID: 3544)
- wmpnscfg.exe (PID: 3632)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3432)
Checks proxy server information
- orden pdf.exe (PID: 3544)
Manual execution by a user
- wmpnscfg.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
DBatLoader
(PID) Process(3544) orden pdf.exe
C2 (1)https://onedrive.live.com/download?resid=D2FF5C6240820574%21359&authkey=!AMa46upLsRo3EHo
TRiD
| .xz | | | xz compressed container (85.7) |
|---|
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3240 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3432 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\orden pdf.exe.xz" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3544 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3432.34553\orden pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3432.34553\orden pdf.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
DBatLoader(PID) Process(3544) orden pdf.exe C2 (1)https://onedrive.live.com/download?resid=D2FF5C6240820574%21359&authkey=!AMa46upLsRo3EHo | |||||||||||||||
| 3564 | C:\Windows\System32\SndVol.exe | C:\Windows\System32\SndVol.exe | — | orden pdf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Volume Mixer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3632 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 090
Read events
4 055
Write events
29
Delete events
6
Modification events
| (PID) Process: | (3240) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A07267EE-F2EF-45EA-8FF7-4DF391F5C737}\{857FCC3A-0148-40BB-9F87-EDA324CC6E41} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3240) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A07267EE-F2EF-45EA-8FF7-4DF391F5C737} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3240) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{622543A4-75A1-49AC-B1EB-13369586EEDA} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3544 | orden pdf.exe | C:\Users\Public\Dpitumev.url | text | |
MD5:B44B77B75791B1651F9A725630DC17DE | SHA256:C44D3CC8B29382D9D2722EB73356F1D86A9333E02DFDDEF363E170BA9ECF9BE3 | |||
| 3432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3432.34553\orden pdf.exe | executable | |
MD5:8B66543D83710A1E1D88D27CFCDC01B1 | SHA256:D348EBBF7634866925C6EEB5DCA5BD0A8226A0B1419157EF6E68F4BD99C3D0A6 | |||
| 3544 | orden pdf.exe | C:\Users\Public\Libraries\Dpitumev.PIF | executable | |
MD5:8B66543D83710A1E1D88D27CFCDC01B1 | SHA256:D348EBBF7634866925C6EEB5DCA5BD0A8226A0B1419157EF6E68F4BD99C3D0A6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3544 | orden pdf.exe | 13.107.42.13:443 | onedrive.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3544 | orden pdf.exe | 13.107.42.12:443 | zexw2w.bn.files.1drv.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
onedrive.live.com |
| shared |
zexw2w.bn.files.1drv.com |
| unknown |