Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 14:06
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211104
General
-
Target
vbc.exe
-
Size
515KB
-
MD5
a8538dba14e963ac7894257f7466bc06
-
SHA1
d5de28b9a2f41519f8ae6fc2be6f9ee75569e192
-
SHA256
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
-
SHA512
04da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/900-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/900-58-0x000000000041D410-mapping.dmp xloader behavioral1/memory/528-65-0x0000000000070000-0x0000000000099000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
updatej2kdyn.exeupdatej2kdyn.exepid process 1712 updatej2kdyn.exe 1144 updatej2kdyn.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1424 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
vbc.exeupdatej2kdyn.exepid process 1316 vbc.exe 1712 updatej2kdyn.exe 1712 updatej2kdyn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLR84HJ0 = "C:\\Program Files (x86)\\Tur4tqruh\\updatej2kdyn.exe" wscript.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exewscript.exeupdatej2kdyn.exedescription pid process target process PID 1316 set thread context of 900 1316 vbc.exe vbc.exe PID 900 set thread context of 1412 900 vbc.exe Explorer.EXE PID 528 set thread context of 1412 528 wscript.exe Explorer.EXE PID 1712 set thread context of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe -
Drops file in Program Files directory 2 IoCs
Processes:
wscript.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe wscript.exe File created C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_1 C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_2 C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_1 C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_2 \Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_1 \Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_2 C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_1 C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe nsis_installer_2 -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-103686315-404690609-2047157615-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exewscript.exepid process 900 vbc.exe 900 vbc.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exewscript.exepid process 900 vbc.exe 900 vbc.exe 900 vbc.exe 528 wscript.exe 528 wscript.exe 528 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exewscript.exedescription pid process Token: SeDebugPrivilege 900 vbc.exe Token: SeDebugPrivilege 528 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
vbc.exeExplorer.EXEwscript.exeupdatej2kdyn.exedescription pid process target process PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1316 wrote to memory of 900 1316 vbc.exe vbc.exe PID 1412 wrote to memory of 528 1412 Explorer.EXE wscript.exe PID 1412 wrote to memory of 528 1412 Explorer.EXE wscript.exe PID 1412 wrote to memory of 528 1412 Explorer.EXE wscript.exe PID 1412 wrote to memory of 528 1412 Explorer.EXE wscript.exe PID 528 wrote to memory of 1424 528 wscript.exe cmd.exe PID 528 wrote to memory of 1424 528 wscript.exe cmd.exe PID 528 wrote to memory of 1424 528 wscript.exe cmd.exe PID 528 wrote to memory of 1424 528 wscript.exe cmd.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 1412 wrote to memory of 1712 1412 Explorer.EXE updatej2kdyn.exe PID 528 wrote to memory of 1376 528 wscript.exe Firefox.exe PID 528 wrote to memory of 1376 528 wscript.exe Firefox.exe PID 528 wrote to memory of 1376 528 wscript.exe Firefox.exe PID 528 wrote to memory of 1376 528 wscript.exe Firefox.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe PID 1712 wrote to memory of 1144 1712 updatej2kdyn.exe updatej2kdyn.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exeMD5
a8538dba14e963ac7894257f7466bc06
SHA1d5de28b9a2f41519f8ae6fc2be6f9ee75569e192
SHA2567bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
SHA51204da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba
-
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exeMD5
a8538dba14e963ac7894257f7466bc06
SHA1d5de28b9a2f41519f8ae6fc2be6f9ee75569e192
SHA2567bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
SHA51204da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba
-
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exeMD5
440e3b5b7b386842e277ca4a74bf26c4
SHA121d5c452fcff82137c748bbbe7af263eef0f5cf9
SHA25689b10cd8d80b9cdfd7ed94a910f767e2e3e5ae66e1b16ab55acb5e44eb55af2c
SHA512fe6ca5cedd40214c53b3521051e26d03612d6092d975613cd7b516d590fd0eeb5ae46ebddd0fbef148515d759a8367ab529104f23efa6d03b05f353dff084dd7
-
C:\Users\Admin\AppData\Local\Temp\yp01n9xse19jb9cMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files (x86)\Tur4tqruh\updatej2kdyn.exeMD5
a8538dba14e963ac7894257f7466bc06
SHA1d5de28b9a2f41519f8ae6fc2be6f9ee75569e192
SHA2567bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
SHA51204da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba
-
\Users\Admin\AppData\Local\Temp\nstD164.tmp\sodxedmub.dllMD5
0dce769f700f91a640a0ac88b9f52cc0
SHA1593939ad9b4c96d84fb8649bd81a670e8036db19
SHA2568ea5809102a56af3cbe2dead5d07c4a740afac59ae44f908dd73dbd2314a6018
SHA512b1546a0ec312e6f4cf50b01c15fd37d911a39eea6e465be113c9e38f87af4f5cde649bdf8939496a7aaceec05988de1bc9249fce8ddc0fce3d1c2f94ead33a52
-
\Users\Admin\AppData\Local\Temp\nsz15F2.tmp\sodxedmub.dllMD5
0dce769f700f91a640a0ac88b9f52cc0
SHA1593939ad9b4c96d84fb8649bd81a670e8036db19
SHA2568ea5809102a56af3cbe2dead5d07c4a740afac59ae44f908dd73dbd2314a6018
SHA512b1546a0ec312e6f4cf50b01c15fd37d911a39eea6e465be113c9e38f87af4f5cde649bdf8939496a7aaceec05988de1bc9249fce8ddc0fce3d1c2f94ead33a52
-
memory/528-66-0x0000000002230000-0x0000000002533000-memory.dmpFilesize
3.0MB
-
memory/528-64-0x0000000000C70000-0x0000000000C96000-memory.dmpFilesize
152KB
-
memory/528-65-0x0000000000070000-0x0000000000099000-memory.dmpFilesize
164KB
-
memory/528-68-0x00000000004C0000-0x0000000000550000-memory.dmpFilesize
576KB
-
memory/528-63-0x0000000000000000-mapping.dmp
-
memory/900-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/900-60-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/900-61-0x0000000000450000-0x0000000000461000-memory.dmpFilesize
68KB
-
memory/900-58-0x000000000041D410-mapping.dmp
-
memory/1144-79-0x000000000041D410-mapping.dmp
-
memory/1316-55-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1412-69-0x0000000006610000-0x00000000066DF000-memory.dmpFilesize
828KB
-
memory/1412-62-0x0000000006230000-0x00000000062FA000-memory.dmpFilesize
808KB
-
memory/1424-67-0x0000000000000000-mapping.dmp
-
memory/1712-71-0x0000000000000000-mapping.dmp