Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-12-2021 14:22
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211104
General
-
Target
vbc.exe
-
Size
647KB
-
MD5
69d6376700fcedd8295c6736ac7a121a
-
SHA1
f2b84b76afd3e3c47be10841e7532cf8092564d5
-
SHA256
cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
-
SHA512
b1d39422cd39db688d15701171932a49b93f6e1b3dd34e5113e961ec7c89fc2820c4a7a2c049ecdbf54dfe0aff0eecf2c20c74688c0b352bfbdd62eb6f63747b
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1296-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1296-58-0x000000000041D410-mapping.dmp xloader behavioral1/memory/1656-66-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 824 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 792 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exemsdt.exedescription pid process target process PID 792 set thread context of 1296 792 vbc.exe vbc.exe PID 1296 set thread context of 1396 1296 vbc.exe Explorer.EXE PID 1656 set thread context of 1396 1656 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exemsdt.exepid process 1296 vbc.exe 1296 vbc.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe 1656 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exemsdt.exepid process 1296 vbc.exe 1296 vbc.exe 1296 vbc.exe 1656 msdt.exe 1656 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exemsdt.exedescription pid process Token: SeDebugPrivilege 1296 vbc.exe Token: SeDebugPrivilege 1656 msdt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
vbc.exeExplorer.EXEmsdt.exedescription pid process target process PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 792 wrote to memory of 1296 792 vbc.exe vbc.exe PID 1396 wrote to memory of 1656 1396 Explorer.EXE msdt.exe PID 1396 wrote to memory of 1656 1396 Explorer.EXE msdt.exe PID 1396 wrote to memory of 1656 1396 Explorer.EXE msdt.exe PID 1396 wrote to memory of 1656 1396 Explorer.EXE msdt.exe PID 1656 wrote to memory of 824 1656 msdt.exe cmd.exe PID 1656 wrote to memory of 824 1656 msdt.exe cmd.exe PID 1656 wrote to memory of 824 1656 msdt.exe cmd.exe PID 1656 wrote to memory of 824 1656 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnDD26.tmp\extrjocw.dllMD5
feab530e81c9419011fd3c83790c93ca
SHA14421a6f114b3286fd512ff0130efbf56c0831be9
SHA256c4cd4677caae8f56cf40d561167fff7734425a53d08109faab11bd958d4629df
SHA512d2c781d4c01146f0f4f7ca5a0cadc856ac91dbbbd598f4b2bd3298daa4e8641bc61a7149c1b89c46443bc2b8d050766be2176f0c1fc393d34a2d8b6329caf5da
-
memory/792-55-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/824-67-0x0000000000000000-mapping.dmp
-
memory/1296-61-0x0000000000580000-0x0000000000591000-memory.dmpFilesize
68KB
-
memory/1296-60-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1296-58-0x000000000041D410-mapping.dmp
-
memory/1296-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1396-62-0x0000000006C50000-0x0000000006D9E000-memory.dmpFilesize
1.3MB
-
memory/1396-70-0x0000000007250000-0x0000000007374000-memory.dmpFilesize
1.1MB
-
memory/1656-63-0x0000000000000000-mapping.dmp
-
memory/1656-65-0x0000000000D00000-0x0000000000DF4000-memory.dmpFilesize
976KB
-
memory/1656-66-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1656-68-0x0000000002200000-0x0000000002503000-memory.dmpFilesize
3.0MB
-
memory/1656-69-0x0000000000B70000-0x0000000000C00000-memory.dmpFilesize
576KB