Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-08-2021 16:39
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7v20210408
General
-
Target
vbc.exe
-
Size
694KB
-
MD5
47fa27443cb1abe987ca9f653754b6d0
-
SHA1
886a56f419a6e4bc65c603089ee9e9d4f6ad7a54
-
SHA256
a9010421ea97c10ab6147e6c5077fab296030b13c26b6645502b6165e2e9d4db
-
SHA512
7dd0b2d5a3716a7ea88f4ca621dc55ec5e3d8a7111e3f373d4631dcdb17c858753e2c55e1723e8c16501ba0d86cc2778cb01bf3ffb791563aa014ef94142e4ac
Malware Config
Extracted
xloader
2.3
ecuu
http://www.polaritelibrairie.com/ecuu/
buoy8boats.com
tomrings.com
o-distribs.com
majesticgroupinc.com
tehridam.com
yzwjtoys.com
castro-online.run
aquarius-twins.com
jamesrrossfineart.com
pavarasupatthonkol.com
rivermarketdentistry.com
gyiblrjd.icu
redcountrypodcast.com
youngbrotherspharmacyga.com
betsysobiech.com
neocleanpro.com
ingpatrimoine.com
mustangsallytransportation.com
jsvfcxzn.com
krsfpjuoekcd.info
cricutcutfiles.club
fjucurta.com
soberrituals.com
mercamoderna.com
empirerack.com
poorwhitetrashlivesmatter.net
the-boardroom-usa.com
boldgroupghana.com
stathotshots.com
workabhaile.com
drgigadvisors.com
tfqvslhlh.club
meo6.com
myreti.com
tasteofourneighborhood.com
manufacturedinjapan.com
listenstech.com
jdcloud-neucampus.com
westgateoptometry.store
sourcefirstconsulting.com
xmasmobitvbuy.com
blackhillsfarmtn.com
georgiaforless.com
enovexcorp.com
nxtelligence.com
emotionalgangster.com
chainsawsparts.com
dplqyz.com
lossaboresdemama.com
805thaifood.com
safeandsoundyachtservices.com
grandparentsandkids.com
catalystdentalallies.com
keplersark.com
desrefuses.com
comerciolimited.com
cotonslife.com
pegasusf.xyz
rocketmortgagedeceit.com
mypartydelivered.com
gvassummit2020.com
thefamilybubble.com
lgjccz.com
donnaquerns.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3632-119-0x0000000000000000-mapping.dmp xloader behavioral2/memory/3632-128-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/3972-134-0x0000000002DB0000-0x0000000002DD9000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zpxtgza = "C:\\Users\\Public\\Libraries\\azgtxpZ.url" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dialer.exerundll32.exedescription pid process target process PID 3632 set thread context of 1700 3632 dialer.exe Explorer.EXE PID 3972 set thread context of 1700 3972 rundll32.exe Explorer.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
dialer.exerundll32.exepid process 3632 dialer.exe 3632 dialer.exe 3632 dialer.exe 3632 dialer.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe 3972 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1700 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dialer.exerundll32.exepid process 3632 dialer.exe 3632 dialer.exe 3632 dialer.exe 3972 rundll32.exe 3972 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
dialer.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3632 dialer.exe Token: SeDebugPrivilege 3972 rundll32.exe Token: SeShutdownPrivilege 1700 Explorer.EXE Token: SeCreatePagefilePrivilege 1700 Explorer.EXE Token: SeShutdownPrivilege 1700 Explorer.EXE Token: SeCreatePagefilePrivilege 1700 Explorer.EXE Token: SeShutdownPrivilege 1700 Explorer.EXE Token: SeCreatePagefilePrivilege 1700 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1700 Explorer.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
vbc.execmd.execmd.exeExplorer.EXErundll32.execmd.exedescription pid process target process PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 3632 4092 vbc.exe dialer.exe PID 4092 wrote to memory of 2108 4092 vbc.exe cmd.exe PID 4092 wrote to memory of 2108 4092 vbc.exe cmd.exe PID 4092 wrote to memory of 2108 4092 vbc.exe cmd.exe PID 2108 wrote to memory of 1348 2108 cmd.exe cmd.exe PID 2108 wrote to memory of 1348 2108 cmd.exe cmd.exe PID 2108 wrote to memory of 1348 2108 cmd.exe cmd.exe PID 1348 wrote to memory of 4040 1348 cmd.exe reg.exe PID 1348 wrote to memory of 4040 1348 cmd.exe reg.exe PID 1348 wrote to memory of 4040 1348 cmd.exe reg.exe PID 1348 wrote to memory of 3084 1348 cmd.exe reg.exe PID 1348 wrote to memory of 3084 1348 cmd.exe reg.exe PID 1348 wrote to memory of 3084 1348 cmd.exe reg.exe PID 1348 wrote to memory of 2420 1348 cmd.exe schtasks.exe PID 1348 wrote to memory of 2420 1348 cmd.exe schtasks.exe PID 1348 wrote to memory of 2420 1348 cmd.exe schtasks.exe PID 1700 wrote to memory of 3972 1700 Explorer.EXE rundll32.exe PID 1700 wrote to memory of 3972 1700 Explorer.EXE rundll32.exe PID 1700 wrote to memory of 3972 1700 Explorer.EXE rundll32.exe PID 3972 wrote to memory of 2736 3972 rundll32.exe cmd.exe PID 3972 wrote to memory of 2736 3972 rundll32.exe cmd.exe PID 3972 wrote to memory of 2736 3972 rundll32.exe cmd.exe PID 4092 wrote to memory of 2856 4092 vbc.exe cmd.exe PID 4092 wrote to memory of 2856 4092 vbc.exe cmd.exe PID 4092 wrote to memory of 2856 4092 vbc.exe cmd.exe PID 2856 wrote to memory of 2700 2856 cmd.exe reg.exe PID 2856 wrote to memory of 2700 2856 cmd.exe reg.exe PID 2856 wrote to memory of 2700 2856 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exeC:\Windows\System32\dialer.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\dialer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
memory/1348-122-0x0000000000000000-mapping.dmp
-
memory/1700-141-0x0000000006300000-0x0000000006398000-memory.dmpFilesize
608KB
-
memory/1700-131-0x0000000006230000-0x00000000062F2000-memory.dmpFilesize
776KB
-
memory/2108-120-0x0000000000000000-mapping.dmp
-
memory/2420-126-0x0000000000000000-mapping.dmp
-
memory/2700-139-0x0000000000000000-mapping.dmp
-
memory/2736-136-0x0000000000000000-mapping.dmp
-
memory/2856-137-0x0000000000000000-mapping.dmp
-
memory/3084-125-0x0000000000000000-mapping.dmp
-
memory/3632-127-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/3632-130-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/3632-129-0x0000000004AF0000-0x0000000004E10000-memory.dmpFilesize
3.1MB
-
memory/3632-119-0x0000000000000000-mapping.dmp
-
memory/3632-128-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/3972-134-0x0000000002DB0000-0x0000000002DD9000-memory.dmpFilesize
164KB
-
memory/3972-135-0x0000000004D60000-0x0000000005080000-memory.dmpFilesize
3.1MB
-
memory/3972-133-0x0000000000B90000-0x0000000000BA3000-memory.dmpFilesize
76KB
-
memory/3972-132-0x0000000000000000-mapping.dmp
-
memory/3972-140-0x0000000004BC0000-0x0000000004C4F000-memory.dmpFilesize
572KB
-
memory/4040-124-0x0000000000000000-mapping.dmp
-
memory/4092-114-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/4092-116-0x0000000000630000-0x000000000064B000-memory.dmpFilesize
108KB