Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-12-2021 14:22
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211104
General
-
Target
vbc.exe
-
Size
647KB
-
MD5
69d6376700fcedd8295c6736ac7a121a
-
SHA1
f2b84b76afd3e3c47be10841e7532cf8092564d5
-
SHA256
cd1a6d25a6ecd13b937b860ddbe024fa1927d9ca766121d54eac046c5511cad4
-
SHA512
b1d39422cd39db688d15701171932a49b93f6e1b3dd34e5113e961ec7c89fc2820c4a7a2c049ecdbf54dfe0aff0eecf2c20c74688c0b352bfbdd62eb6f63747b
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2740-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2740-120-0x000000000041D410-mapping.dmp xloader behavioral2/memory/3680-127-0x00000000023C0000-0x00000000023E9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 2396 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeipconfig.exedescription pid process target process PID 2396 set thread context of 2740 2396 vbc.exe vbc.exe PID 2740 set thread context of 3016 2740 vbc.exe Explorer.EXE PID 3680 set thread context of 3016 3680 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3680 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
vbc.exeipconfig.exepid process 2740 vbc.exe 2740 vbc.exe 2740 vbc.exe 2740 vbc.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe 3680 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeipconfig.exepid process 2740 vbc.exe 2740 vbc.exe 2740 vbc.exe 3680 ipconfig.exe 3680 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeipconfig.exedescription pid process Token: SeDebugPrivilege 2740 vbc.exe Token: SeDebugPrivilege 3680 ipconfig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vbc.exeExplorer.EXEipconfig.exedescription pid process target process PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 2396 wrote to memory of 2740 2396 vbc.exe vbc.exe PID 3016 wrote to memory of 3680 3016 Explorer.EXE ipconfig.exe PID 3016 wrote to memory of 3680 3016 Explorer.EXE ipconfig.exe PID 3016 wrote to memory of 3680 3016 Explorer.EXE ipconfig.exe PID 3680 wrote to memory of 3832 3680 ipconfig.exe cmd.exe PID 3680 wrote to memory of 3832 3680 ipconfig.exe cmd.exe PID 3680 wrote to memory of 3832 3680 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstC006.tmp\extrjocw.dllMD5
feab530e81c9419011fd3c83790c93ca
SHA14421a6f114b3286fd512ff0130efbf56c0831be9
SHA256c4cd4677caae8f56cf40d561167fff7734425a53d08109faab11bd958d4629df
SHA512d2c781d4c01146f0f4f7ca5a0cadc856ac91dbbbd598f4b2bd3298daa4e8641bc61a7149c1b89c46443bc2b8d050766be2176f0c1fc393d34a2d8b6329caf5da
-
memory/2740-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2740-120-0x000000000041D410-mapping.dmp
-
memory/2740-122-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB
-
memory/2740-123-0x00000000009F0000-0x0000000000A01000-memory.dmpFilesize
68KB
-
memory/3016-131-0x0000000003180000-0x0000000003272000-memory.dmpFilesize
968KB
-
memory/3016-124-0x0000000001380000-0x000000000144E000-memory.dmpFilesize
824KB
-
memory/3680-125-0x0000000000000000-mapping.dmp
-
memory/3680-126-0x0000000000040000-0x000000000004B000-memory.dmpFilesize
44KB
-
memory/3680-128-0x0000000002C50000-0x0000000002F70000-memory.dmpFilesize
3.1MB
-
memory/3680-130-0x0000000002A00000-0x0000000002A90000-memory.dmpFilesize
576KB
-
memory/3680-127-0x00000000023C0000-0x00000000023E9000-memory.dmpFilesize
164KB
-
memory/3832-129-0x0000000000000000-mapping.dmp