Analysis
-
max time kernel
149s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
92ff500a693078263908c83b4b290481.exe
Resource
win7v20201028
General
-
Target
92ff500a693078263908c83b4b290481.exe
-
Size
569KB
-
MD5
92ff500a693078263908c83b4b290481
-
SHA1
fa5dcc6012c71490efdf320791a90c7a18958a95
-
SHA256
767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
-
SHA512
8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-9-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1828-10-0x000000000041D0C0-mapping.dmp xloader behavioral1/memory/564-11-0x0000000000000000-mapping.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
92ff500a693078263908c83b4b290481.exevbc.exemsdt.exedescription pid process target process PID 648 set thread context of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1828 set thread context of 1192 1828 vbc.exe Explorer.EXE PID 564 set thread context of 1192 564 msdt.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
92ff500a693078263908c83b4b290481.exevbc.exemsdt.exepid process 648 92ff500a693078263908c83b4b290481.exe 1828 vbc.exe 1828 vbc.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe 564 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemsdt.exepid process 1828 vbc.exe 1828 vbc.exe 1828 vbc.exe 564 msdt.exe 564 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
92ff500a693078263908c83b4b290481.exevbc.exemsdt.exedescription pid process Token: SeDebugPrivilege 648 92ff500a693078263908c83b4b290481.exe Token: SeDebugPrivilege 1828 vbc.exe Token: SeDebugPrivilege 564 msdt.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
92ff500a693078263908c83b4b290481.exeExplorer.EXEmsdt.exedescription pid process target process PID 648 wrote to memory of 1652 648 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 648 wrote to memory of 1652 648 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 648 wrote to memory of 1652 648 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 648 wrote to memory of 1652 648 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 648 wrote to memory of 1828 648 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1192 wrote to memory of 564 1192 Explorer.EXE msdt.exe PID 1192 wrote to memory of 564 1192 Explorer.EXE msdt.exe PID 1192 wrote to memory of 564 1192 Explorer.EXE msdt.exe PID 1192 wrote to memory of 564 1192 Explorer.EXE msdt.exe PID 564 wrote to memory of 1080 564 msdt.exe cmd.exe PID 564 wrote to memory of 1080 564 msdt.exe cmd.exe PID 564 wrote to memory of 1080 564 msdt.exe cmd.exe PID 564 wrote to memory of 1080 564 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcEEHoQdnETCO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp849B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp849B.tmpMD5
6650bf2f44240b096d1b807f4c413457
SHA158160b254875bbf08ae22cc15d03fb514c012e5a
SHA2561cad80e9d172173046fcc07d4c1a80bf25ad5c176e3b2f794fb3ce1ed1ba64cd
SHA512c4ef528824cc568c99be86525e5bbda8a3820292694de88ac780baf1d60fa43af86cad93a03594b57d8e0b2b321f15fbb5b2b8dd180055ad25d82fe5d69b5052
-
memory/564-11-0x0000000000000000-mapping.dmp
-
memory/564-12-0x0000000000480000-0x0000000000574000-memory.dmpFilesize
976KB
-
memory/564-14-0x0000000004DC0000-0x0000000004F02000-memory.dmpFilesize
1.3MB
-
memory/648-2-0x00000000746F0000-0x0000000074DDE000-memory.dmpFilesize
6.9MB
-
memory/648-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/648-5-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/648-6-0x0000000004BF0000-0x0000000004C6A000-memory.dmpFilesize
488KB
-
memory/1080-13-0x0000000000000000-mapping.dmp
-
memory/1652-7-0x0000000000000000-mapping.dmp
-
memory/1828-9-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1828-10-0x000000000041D0C0-mapping.dmp