Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
General
-
Target
vbc.exe
-
Size
1.5MB
-
MD5
446b9bdfbfe21f14cb22ecec666ff7a8
-
SHA1
bee52647caae69d434aade7a64ad2ee4f50247de
-
SHA256
6666b32f52c7d860404d64bf37bdfbea7f7aa38cb0a12f326c515469551d991f
-
SHA512
beaaf39e78b1a7c2e2a54de03631d2df3d374cff09b9c68bd2c89e80f85e60c6223795e3e59a5d8f7871c41afa54be56994679db736d8ffc823f948b9feecfc2
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3592-138-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4360-145-0x0000000000990000-0x00000000009BB000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exeWPDShextAutoplay.exeraserver.exedescription pid process target process PID 2192 set thread context of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 3592 set thread context of 1880 3592 WPDShextAutoplay.exe Explorer.EXE PID 4360 set thread context of 1880 4360 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vbc.exeWPDShextAutoplay.exeraserver.exepid process 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 2192 vbc.exe 3592 WPDShextAutoplay.exe 3592 WPDShextAutoplay.exe 3592 WPDShextAutoplay.exe 3592 WPDShextAutoplay.exe 2192 vbc.exe 2192 vbc.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe 4360 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1880 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
WPDShextAutoplay.exeraserver.exepid process 3592 WPDShextAutoplay.exe 3592 WPDShextAutoplay.exe 3592 WPDShextAutoplay.exe 4360 raserver.exe 4360 raserver.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vbc.exeWPDShextAutoplay.exeExplorer.EXEraserver.exedescription pid process Token: SeDebugPrivilege 2192 vbc.exe Token: SeDebugPrivilege 3592 WPDShextAutoplay.exe Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeShutdownPrivilege 1880 Explorer.EXE Token: SeCreatePagefilePrivilege 1880 Explorer.EXE Token: SeDebugPrivilege 4360 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
vbc.exeExplorer.EXEraserver.exedescription pid process target process PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 2192 wrote to memory of 3592 2192 vbc.exe WPDShextAutoplay.exe PID 1880 wrote to memory of 4360 1880 Explorer.EXE raserver.exe PID 1880 wrote to memory of 4360 1880 Explorer.EXE raserver.exe PID 1880 wrote to memory of 4360 1880 Explorer.EXE raserver.exe PID 4360 wrote to memory of 2124 4360 raserver.exe cmd.exe PID 4360 wrote to memory of 2124 4360 raserver.exe cmd.exe PID 4360 wrote to memory of 2124 4360 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WPDShextAutoplay.exe"C:\Windows\SysWOW64\WPDShextAutoplay.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\WPDShextAutoplay.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1880-142-0x00000000086A0000-0x000000000883A000-memory.dmpFilesize
1.6MB
-
memory/1880-149-0x0000000002F30000-0x0000000002FD4000-memory.dmpFilesize
656KB
-
memory/2124-146-0x0000000000000000-mapping.dmp
-
memory/2192-131-0x0000000005AE0000-0x0000000006084000-memory.dmpFilesize
5.6MB
-
memory/2192-132-0x0000000005440000-0x00000000054D2000-memory.dmpFilesize
584KB
-
memory/2192-133-0x00000000054F0000-0x00000000054FA000-memory.dmpFilesize
40KB
-
memory/2192-134-0x0000000009180000-0x00000000091F6000-memory.dmpFilesize
472KB
-
memory/2192-135-0x0000000009160000-0x000000000917E000-memory.dmpFilesize
120KB
-
memory/2192-136-0x000000000A890000-0x000000000A92C000-memory.dmpFilesize
624KB
-
memory/2192-130-0x0000000000A50000-0x0000000000BD0000-memory.dmpFilesize
1.5MB
-
memory/3592-138-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3592-141-0x00000000009A0000-0x00000000009B1000-memory.dmpFilesize
68KB
-
memory/3592-140-0x0000000000B10000-0x0000000000E5A000-memory.dmpFilesize
3.3MB
-
memory/3592-137-0x0000000000000000-mapping.dmp
-
memory/4360-143-0x0000000000000000-mapping.dmp
-
memory/4360-145-0x0000000000990000-0x00000000009BB000-memory.dmpFilesize
172KB
-
memory/4360-144-0x0000000000500000-0x000000000051F000-memory.dmpFilesize
124KB
-
memory/4360-147-0x0000000002BB0000-0x0000000002EFA000-memory.dmpFilesize
3.3MB
-
memory/4360-148-0x0000000002920000-0x00000000029B0000-memory.dmpFilesize
576KB