Analysis
-
max time kernel
148s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
ab62532db045fc659e00887f83800dd1.exe
Resource
win7v20201028
General
-
Target
ab62532db045fc659e00887f83800dd1.exe
-
Size
1.0MB
-
MD5
ab62532db045fc659e00887f83800dd1
-
SHA1
ffe9b4472a606730610d7fe3241292db91ed8879
-
SHA256
9548c6a9da2d6cee9d27565c0055be4429cabfae9287ab3e525aaba66fd67032
-
SHA512
e11bb17e2052831ef68a8301ea684668c8ef9300b80611cc0342c38cab4f6528143026885244eb4d5e5b84f5ae411a95981ab72348fdba2a4db86a5030745535
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-9-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1344-10-0x000000000041D0C0-mapping.dmp xloader behavioral1/memory/1512-11-0x0000000000000000-mapping.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
ab62532db045fc659e00887f83800dd1.exevbc.execmd.exedescription pid process target process PID 1676 set thread context of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1344 set thread context of 1248 1344 vbc.exe Explorer.EXE PID 1512 set thread context of 1248 1512 cmd.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
ab62532db045fc659e00887f83800dd1.exevbc.execmd.exepid process 1676 ab62532db045fc659e00887f83800dd1.exe 1344 vbc.exe 1344 vbc.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe 1512 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmd.exepid process 1344 vbc.exe 1344 vbc.exe 1344 vbc.exe 1512 cmd.exe 1512 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ab62532db045fc659e00887f83800dd1.exevbc.execmd.exedescription pid process Token: SeDebugPrivilege 1676 ab62532db045fc659e00887f83800dd1.exe Token: SeDebugPrivilege 1344 vbc.exe Token: SeDebugPrivilege 1512 cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ab62532db045fc659e00887f83800dd1.exeExplorer.EXEcmd.exedescription pid process target process PID 1676 wrote to memory of 1584 1676 ab62532db045fc659e00887f83800dd1.exe schtasks.exe PID 1676 wrote to memory of 1584 1676 ab62532db045fc659e00887f83800dd1.exe schtasks.exe PID 1676 wrote to memory of 1584 1676 ab62532db045fc659e00887f83800dd1.exe schtasks.exe PID 1676 wrote to memory of 1584 1676 ab62532db045fc659e00887f83800dd1.exe schtasks.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1676 wrote to memory of 1344 1676 ab62532db045fc659e00887f83800dd1.exe vbc.exe PID 1248 wrote to memory of 1512 1248 Explorer.EXE cmd.exe PID 1248 wrote to memory of 1512 1248 Explorer.EXE cmd.exe PID 1248 wrote to memory of 1512 1248 Explorer.EXE cmd.exe PID 1248 wrote to memory of 1512 1248 Explorer.EXE cmd.exe PID 1512 wrote to memory of 916 1512 cmd.exe cmd.exe PID 1512 wrote to memory of 916 1512 cmd.exe cmd.exe PID 1512 wrote to memory of 916 1512 cmd.exe cmd.exe PID 1512 wrote to memory of 916 1512 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab62532db045fc659e00887f83800dd1.exe"C:\Users\Admin\AppData\Local\Temp\ab62532db045fc659e00887f83800dd1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GbXrJAAtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1803.tmpMD5
fb685573ff5a20c7d343fcd6b2d09bd7
SHA19febb06e7f6d732e4d8ec048bed663ebab4fd24e
SHA256a1103ebd09e55bf4e037ff8b421367fc3c54f127dd775f9499384c6b900afba5
SHA5126187877178149fe5e71fc486f90311f49af96fe96d23f85665ff94b612bb53a5a7458d088f2584669de7901567d0f125d5d1af12bd5d98294ccbfd59cc0ef6a6
-
memory/916-13-0x0000000000000000-mapping.dmp
-
memory/1344-9-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1344-10-0x000000000041D0C0-mapping.dmp
-
memory/1512-11-0x0000000000000000-mapping.dmp
-
memory/1512-12-0x000000004A140000-0x000000004A18C000-memory.dmpFilesize
304KB
-
memory/1512-14-0x0000000005190000-0x00000000052C6000-memory.dmpFilesize
1.2MB
-
memory/1584-7-0x0000000000000000-mapping.dmp
-
memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1676-3-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1676-5-0x0000000000290000-0x000000000029E000-memory.dmpFilesize
56KB
-
memory/1676-6-0x00000000005A0000-0x000000000061A000-memory.dmpFilesize
488KB