Analysis
-
max time kernel
160s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 10:58
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211104
General
-
Target
vbc.exe
-
Size
356KB
-
MD5
8b7820fd7d45dcd564fb92db1ebe9295
-
SHA1
c383a24a84143123f120f754bb0877b91628ff5b
-
SHA256
c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
-
SHA512
96ffc3d1d785035b47342b700d2930cf4daee597d02e97310a53be8baa819b403dbd96e82470fa0483f5bb442728c4e0eb352ebca0945070a49013451c441590
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/296-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/296-120-0x000000000041D410-mapping.dmp xloader behavioral2/memory/768-127-0x0000000000A80000-0x0000000000AA9000-memory.dmp xloader behavioral2/memory/768-129-0x0000000000AE0000-0x0000000000C2A000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 2684 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeNETSTAT.EXEdescription pid process target process PID 2684 set thread context of 296 2684 vbc.exe vbc.exe PID 296 set thread context of 3008 296 vbc.exe Explorer.EXE PID 768 set thread context of 3008 768 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 768 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 296 vbc.exe 296 vbc.exe 296 vbc.exe 296 vbc.exe 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE 768 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 296 vbc.exe 296 vbc.exe 296 vbc.exe 768 NETSTAT.EXE 768 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 296 vbc.exe Token: SeDebugPrivilege 768 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vbc.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 2684 wrote to memory of 296 2684 vbc.exe vbc.exe PID 3008 wrote to memory of 768 3008 Explorer.EXE NETSTAT.EXE PID 3008 wrote to memory of 768 3008 Explorer.EXE NETSTAT.EXE PID 3008 wrote to memory of 768 3008 Explorer.EXE NETSTAT.EXE PID 768 wrote to memory of 1108 768 NETSTAT.EXE cmd.exe PID 768 wrote to memory of 1108 768 NETSTAT.EXE cmd.exe PID 768 wrote to memory of 1108 768 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsq4EF.tmp\ancprnfrgdi.dllMD5
43e23cb30db04f30af162414f5fcb084
SHA12f8db11d592b1b28d56f9ba4e8666af458100a3b
SHA25694f51bd2bafd932f5c3ae824f2a2f93be2978c6b7c194f4f39231bce3ac7fac4
SHA512cb1ec23a47939760f6fd6e2e090124bf89c89190ed6cfe634274fdcded11fa868b7ca0c7379ec1452339e4c361a6c052f3bca9dfb44595309af02cfe16fa9daf
-
memory/296-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/296-120-0x000000000041D410-mapping.dmp
-
memory/296-121-0x0000000000960000-0x0000000000C80000-memory.dmpFilesize
3.1MB
-
memory/296-123-0x00000000008E0000-0x00000000008F1000-memory.dmpFilesize
68KB
-
memory/768-125-0x0000000000000000-mapping.dmp
-
memory/768-127-0x0000000000A80000-0x0000000000AA9000-memory.dmpFilesize
164KB
-
memory/768-126-0x0000000000FD0000-0x0000000000FDB000-memory.dmpFilesize
44KB
-
memory/768-129-0x0000000000AE0000-0x0000000000C2A000-memory.dmpFilesize
1.3MB
-
memory/768-130-0x0000000002FE0000-0x0000000003070000-memory.dmpFilesize
576KB
-
memory/1108-128-0x0000000000000000-mapping.dmp
-
memory/3008-124-0x0000000003130000-0x000000000320B000-memory.dmpFilesize
876KB
-
memory/3008-131-0x0000000005AE0000-0x0000000005C34000-memory.dmpFilesize
1.3MB