Analysis
-
max time kernel
154s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7v20210408
General
-
Target
vbc.exe
-
Size
421KB
-
MD5
859a1a6574e4a09027f729908318b282
-
SHA1
bf7c9e96ca263d7811f7357f8645af42b04c093b
-
SHA256
d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7
-
SHA512
4163390db6bf2d8f66e8575e8d116df222e8d72b97037eca614fdb2d94d8cd686c31eb4593ce1164dfc398fe03a7b3ac97bfee61fc2e3ddb27e566c39cb234ec
Malware Config
Extracted
xloader
2.5
arup
http://www.sapphiretype.com/arup/
mezonpezon.com
bellapbd.com
xn--2kr800ab2z.group
cupecoysuites.com
extractselect.com
cherrycooky.com
reshawna.com
bluewinetours.com
dez2fly.com
washedproductions.com
om-asahi-kasei-jp.com
talkingpoint.tours
avaspacecompany.com
fbtvmall.com
trocaoferta.com
mionegozio.com
reitschuetz.com
basepicks.com
networkagricity.com
kastore.club
groovydeer.com
realisa.net
891708.com
naveenachittibiyina.com
guizhouawj.com
royaltortoisecookieco.online
scubafarm.com
sibo.care
rapi-vet.com
metaid.website
shadoworksart.com
gratitudegalore.com
penhal.com
fetch-an-us-itchy.zone
melisaakyolicmimarlik.com
yiweise.com
sofasstorremolinos.com
rfanil.com
metaverselemon.com
theholidaymovieplanner.com
n4sins.com
fortcor.com
galaxysingle.com
gzwqpsyj.com
azur-riviera-rental.com
bharathpaperbagmachine.com
pinup722bk.com
darkness.global
theihearthotel.com
wecowork.net
big-thoughtconsulting.com
ricartepinlac.com
beatsingh.com
xn--e6qg25lq0kdudqy7g.com
zkingstore.com
gd83574.com
jiajssie.xyz
patientempowered.care
tiannuoxxrp.top
itsnalab.com
ioumal.com
bellinghamapartment.com
sakibotchi.com
jessicapets.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2252-126-0x000000000041D4B0-mapping.dmp xloader behavioral2/memory/3820-135-0x0000000002F40000-0x0000000002F69000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exemsiexec.exedescription pid process target process PID 2284 set thread context of 2252 2284 vbc.exe vbc.exe PID 2252 set thread context of 3028 2252 vbc.exe Explorer.EXE PID 3820 set thread context of 3028 3820 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
vbc.exemsiexec.exepid process 2252 vbc.exe 2252 vbc.exe 2252 vbc.exe 2252 vbc.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe 3820 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemsiexec.exepid process 2252 vbc.exe 2252 vbc.exe 2252 vbc.exe 3820 msiexec.exe 3820 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2252 vbc.exe Token: SeDebugPrivilege 3820 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vbc.exeExplorer.EXEmsiexec.exedescription pid process target process PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 2284 wrote to memory of 2252 2284 vbc.exe vbc.exe PID 3028 wrote to memory of 3820 3028 Explorer.EXE msiexec.exe PID 3028 wrote to memory of 3820 3028 Explorer.EXE msiexec.exe PID 3028 wrote to memory of 3820 3028 Explorer.EXE msiexec.exe PID 3820 wrote to memory of 3088 3820 msiexec.exe cmd.exe PID 3820 wrote to memory of 3088 3820 msiexec.exe cmd.exe PID 3820 wrote to memory of 3088 3820 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2252-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2252-128-0x0000000001810000-0x0000000001821000-memory.dmpFilesize
68KB
-
memory/2252-127-0x00000000012E0000-0x0000000001600000-memory.dmpFilesize
3.1MB
-
memory/2252-126-0x000000000041D4B0-mapping.dmp
-
memory/2284-121-0x0000000007A10000-0x0000000007A11000-memory.dmpFilesize
4KB
-
memory/2284-117-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2284-122-0x0000000005720000-0x0000000005724000-memory.dmpFilesize
16KB
-
memory/2284-123-0x0000000007D10000-0x0000000007D6C000-memory.dmpFilesize
368KB
-
memory/2284-124-0x00000000059D0000-0x00000000059FC000-memory.dmpFilesize
176KB
-
memory/2284-120-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2284-119-0x0000000005510000-0x0000000005A0E000-memory.dmpFilesize
5.0MB
-
memory/2284-118-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/2284-115-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/3028-129-0x0000000004E20000-0x0000000004FA9000-memory.dmpFilesize
1.5MB
-
memory/3028-138-0x0000000006350000-0x000000000649D000-memory.dmpFilesize
1.3MB
-
memory/3088-133-0x0000000000000000-mapping.dmp
-
memory/3820-130-0x0000000000000000-mapping.dmp
-
memory/3820-135-0x0000000002F40000-0x0000000002F69000-memory.dmpFilesize
164KB
-
memory/3820-134-0x0000000000C30000-0x0000000000C42000-memory.dmpFilesize
72KB
-
memory/3820-136-0x00000000050C0000-0x00000000053E0000-memory.dmpFilesize
3.1MB
-
memory/3820-137-0x00000000034F0000-0x0000000003580000-memory.dmpFilesize
576KB