Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 15:06
Static task
static1
Behavioral task
behavioral1
Sample
Revised Quotation & COA_jpg.exe
Resource
win7-en-20211208
General
-
Target
Revised Quotation & COA_jpg.exe
-
Size
551KB
-
MD5
fce9b050476d555a64ce0522191d1f4a
-
SHA1
4c34b842888ba0c8f80fdba42055281c18e995f3
-
SHA256
07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e
-
SHA512
c6ffe706492a009e214e6b6c256bf41406e217a93c9aa9e898b71ea66428c545bb4420f314d7781e9321e9095d678c6440fe4bb12bd8c629a9819e9effc32247
Malware Config
Extracted
xloader
2.5
quc5
writerpilotpublishing.com
journeywands.com
madacambo.com
boreslirealestate.com
drillshear.com
urbanmastic.com
focalbunk.com
ghpgroupinc.xyz
rfgmhnvf.com
241mk.com
mandolinzen.com
thenorthstarbets.com
oggperformancehorses.com
webuywholesalerhouses.com
cinreyyy.com
theyoungwedding.com
neuro-ai-web-ru.digital
zavienniky.xyz
kin-school.com
lowratepersonalloans.com
reddindesignco.com
w-planning21.com
contactcenter2.email
bizarrefuid.com
pngok.net
trasportocargo.com
litecoinpricescam.com
klovaperon.quest
ericpcensi.com
gra68.net
bmsr.mobi
phukienstreaming.com
spojed.store
gesips.com
andrewarchitect.com
sifangktv.info
xd16880.com
tudineroenvenezuela.com
scakw.com
sittingysxtfy.xyz
suckit-ice.com
spryget.com
servionexpress.com
dobuncou.xyz
williswear.com
alvinceremiaam.xyz
kashmanltd.com
thebeautydisruptor.com
sherrilyndale.com
edn-by-fges.net
megaverse.estate
albatrosstextile.com
isabel-mirandol.com
jaawo.com
digitalrajputsamaj.com
capital11.store
bortovoycomputezzerkalo.online
tamankertamukti.com
targethic.tech
1006e.com
sahin.business
gosecure.info
spasalonsuite.com
kasko-sigorta.com
augiesautopainting.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/900-123-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/900-128-0x0000000005360000-0x00000000054FC000-memory.dmp xloader behavioral2/memory/1028-131-0x0000000002450000-0x0000000002479000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Revised Quotation & COA_jpg.exevbc.exeNETSTAT.EXEdescription pid process target process PID 2504 set thread context of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 900 set thread context of 3036 900 vbc.exe Explorer.EXE PID 1028 set thread context of 3036 1028 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1028 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 900 vbc.exe 900 vbc.exe 900 vbc.exe 900 vbc.exe 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE 1028 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 900 vbc.exe 900 vbc.exe 900 vbc.exe 1028 NETSTAT.EXE 1028 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 900 vbc.exe Token: SeDebugPrivilege 1028 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Revised Quotation & COA_jpg.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 2504 wrote to memory of 900 2504 Revised Quotation & COA_jpg.exe vbc.exe PID 3036 wrote to memory of 1028 3036 Explorer.EXE NETSTAT.EXE PID 3036 wrote to memory of 1028 3036 Explorer.EXE NETSTAT.EXE PID 3036 wrote to memory of 1028 3036 Explorer.EXE NETSTAT.EXE PID 1028 wrote to memory of 2924 1028 NETSTAT.EXE cmd.exe PID 1028 wrote to memory of 2924 1028 NETSTAT.EXE cmd.exe PID 1028 wrote to memory of 2924 1028 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Revised Quotation & COA_jpg.exe"C:\Users\Admin\AppData\Local\Temp\Revised Quotation & COA_jpg.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-123-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/900-128-0x0000000005360000-0x00000000054FC000-memory.dmpFilesize
1.6MB
-
memory/900-127-0x0000000005500000-0x0000000005820000-memory.dmpFilesize
3.1MB
-
memory/1028-130-0x0000000000040000-0x000000000004B000-memory.dmpFilesize
44KB
-
memory/1028-131-0x0000000002450000-0x0000000002479000-memory.dmpFilesize
164KB
-
memory/1028-133-0x0000000002900000-0x0000000002A95000-memory.dmpFilesize
1.6MB
-
memory/1028-132-0x0000000002AA0000-0x0000000002DC0000-memory.dmpFilesize
3.1MB
-
memory/2504-122-0x0000000007EF0000-0x0000000007F52000-memory.dmpFilesize
392KB
-
memory/2504-118-0x0000000005650000-0x000000000565A000-memory.dmpFilesize
40KB
-
memory/2504-117-0x0000000005660000-0x00000000056F2000-memory.dmpFilesize
584KB
-
memory/2504-116-0x0000000005C20000-0x000000000611E000-memory.dmpFilesize
5.0MB
-
memory/2504-115-0x0000000000D90000-0x0000000000E20000-memory.dmpFilesize
576KB
-
memory/2504-119-0x0000000005720000-0x0000000005C1E000-memory.dmpFilesize
5.0MB
-
memory/2504-121-0x0000000007D40000-0x0000000007DDC000-memory.dmpFilesize
624KB
-
memory/2504-120-0x0000000005B80000-0x0000000005B8C000-memory.dmpFilesize
48KB
-
memory/3036-129-0x0000000002370000-0x0000000002429000-memory.dmpFilesize
740KB
-
memory/3036-134-0x0000000004DA0000-0x0000000004EC3000-memory.dmpFilesize
1.1MB