Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-12-2021 17:00
Static task
static1
Behavioral task
behavioral1
Sample
tmp/dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe
Resource
win7-en-20211208
General
-
Target
tmp/dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe
-
Size
359KB
-
MD5
09d20093b28ef892d0a7d3d6a3f09574
-
SHA1
05b357f88e60c31cfa3f4752d0f70dd66aa367b0
-
SHA256
ca63aeb4d3c007faf34aaba889aa142c87642594b5aa6bcac41a2e4aa1c4c807
-
SHA512
19fa0692cedb7f16e1fec497b77be0dd36d22b7f13ce380ddc492075ae69563ee139567fc93c2ceef469893c6d1a0df90863859c128f6de29ce7c1c21f1f5eb7
Malware Config
Extracted
xloader
2.5
fqiq
driventow.com
ipatchwork.today
bolder.equipment
seal-brother.com
mountlaketerraceapartments.com
weeden.xyz
sanlifalan.com
athafood.com
isshinn1.com
creationslazzaroni.com
eclecticrenaissancewoman.com
satellitephonstore.com
cotchildcare.com
yamacorp.digital
ff4cuno43.xyz
quicksticks.community
govindfinance.com
farmersfirstseed.com
megacinema.club
tablescaperendezvous4two.com
ecarehomes.com
floaterslaser.com
benisano.com
saint444.com
thedusi.com
avafxtrade.online
hanenosuke.com
suntioil4u.com
healthyweekendtips.com
24000words.com
ofbchina.net
begukiu0.info
wolmoda.com
mask60.com
4bellemaison.com
mambacustomboats.com
sedsn.com
doggycc.com
kangrungao.com
pharmacistcharisma.com
passiverewardssystems.com
qywyfeo8.xyz
shenjiclass.com
rdoi.top
lavishbynovell.com
fleetton.com
hillcresthomegroup.com
hartfulcleaning.com
srofkansas.com
applebroog.industries
phillytrainers.com
dmc--llc.com
sosoon.store
daysyou.com
controldatasa.com
markarge.com
hirayaawards.com
clinicscluster.com
sophiagunterman.art
kirtansangeet.com
residential.insure
ribbonofficial.com
qianhaijcc.com
fytvankin.quest
esyscoloradosprings.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/964-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/964-57-0x000000000041D4B0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exepid process 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exedescription pid process target process PID 616 set thread context of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exepid process 964 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exedescription pid process target process PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe PID 616 wrote to memory of 964 616 dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp\dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\dfcae1cb-68ea-4a4b-bdf3-c951a687982a_vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstF690.tmp\pcvjcsta.dllMD5
ef8062b63953fcd3f681f2be88a4da2a
SHA164c477af7e0c75a8c86aa9a467431288128ef602
SHA256d1e1f757445aa460b95e7b7cd1144a9db3e0bc017aba1ca1dfb6314c69619e89
SHA512c687adf84718cb5835d74fc4ba8460ec209286c10e65b221a61120fde9d7efdb5d27823b17c7b5cc4fde7eb0ba75565061c5ab7549556a5975ff74e3b0e08270
-
memory/616-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/964-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/964-57-0x000000000041D4B0-mapping.dmp
-
memory/964-58-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB