Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
92ff500a693078263908c83b4b290481.exe
Resource
win7v20201028
General
-
Target
92ff500a693078263908c83b4b290481.exe
-
Size
569KB
-
MD5
92ff500a693078263908c83b4b290481
-
SHA1
fa5dcc6012c71490efdf320791a90c7a18958a95
-
SHA256
767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
-
SHA512
8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3552-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3552-14-0x000000000041D0C0-mapping.dmp xloader behavioral2/memory/1988-15-0x0000000000000000-mapping.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
92ff500a693078263908c83b4b290481.exevbc.exemstsc.exedescription pid process target process PID 1924 set thread context of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 3552 set thread context of 3000 3552 vbc.exe Explorer.EXE PID 1988 set thread context of 3000 1988 mstsc.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
vbc.exemstsc.exepid process 3552 vbc.exe 3552 vbc.exe 3552 vbc.exe 3552 vbc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe 1988 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemstsc.exepid process 3552 vbc.exe 3552 vbc.exe 3552 vbc.exe 1988 mstsc.exe 1988 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3552 vbc.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeDebugPrivilege 1988 mstsc.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
92ff500a693078263908c83b4b290481.exeExplorer.EXEmstsc.exedescription pid process target process PID 1924 wrote to memory of 2844 1924 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 1924 wrote to memory of 2844 1924 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 1924 wrote to memory of 2844 1924 92ff500a693078263908c83b4b290481.exe schtasks.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 1924 wrote to memory of 3552 1924 92ff500a693078263908c83b4b290481.exe vbc.exe PID 3000 wrote to memory of 1988 3000 Explorer.EXE mstsc.exe PID 3000 wrote to memory of 1988 3000 Explorer.EXE mstsc.exe PID 3000 wrote to memory of 1988 3000 Explorer.EXE mstsc.exe PID 1988 wrote to memory of 2744 1988 mstsc.exe cmd.exe PID 1988 wrote to memory of 2744 1988 mstsc.exe cmd.exe PID 1988 wrote to memory of 2744 1988 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcEEHoQdnETCO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1463.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1463.tmpMD5
a952ff45e054d16c68eb08f9ea790303
SHA1b8fc672cb2fb948b79544e5510657ac959459a22
SHA256e8ddda06941592fcf733a973c64e14eb3d1ffcbb801050a662a9eb694b100b1a
SHA512e30d510d9c855ff8f64d47593cd10f5fdbcc3ddb4b9da8a95dbb93524ab688ea262f821a47c786f6979820be2c22bc9e315d4fe83a989a0a51e6f13b4175ab40
-
memory/1924-3-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1924-5-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/1924-6-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1924-7-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/1924-8-0x0000000005460000-0x000000000546E000-memory.dmpFilesize
56KB
-
memory/1924-9-0x00000000060E0000-0x000000000615A000-memory.dmpFilesize
488KB
-
memory/1924-10-0x0000000006200000-0x0000000006201000-memory.dmpFilesize
4KB
-
memory/1924-2-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1988-15-0x0000000000000000-mapping.dmp
-
memory/1988-16-0x0000000000E00000-0x00000000010FC000-memory.dmpFilesize
3.0MB
-
memory/1988-17-0x0000000000E00000-0x00000000010FC000-memory.dmpFilesize
3.0MB
-
memory/2744-18-0x0000000000000000-mapping.dmp
-
memory/2844-11-0x0000000000000000-mapping.dmp
-
memory/3552-13-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3552-14-0x000000000041D0C0-mapping.dmp