Analysis
-
max time kernel
36s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220414-en
General
-
Target
vbc.exe
-
Size
302KB
-
MD5
0236dcc27cfb3d09325c976002567985
-
SHA1
e1605510f182a0c6f8d3297355d9ceb00489df7c
-
SHA256
e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d
-
SHA512
512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081
Malware Config
Extracted
xloader
2.6
vweq
malang-media.com
mrsfence.com
lubetops.com
aitimedia.net
montecryptocapital.com
ahwmedia.com
bvmnc.site
bggearstore.com
bcsantacoloma.online
alltimephotography.com
santacruz-roofings.com
leaplifestyleenterprises.com
censovet.com
similkameenfarms.com
undisclosed.email
thetrinityco.com
rapiturs.com
jedlersdorf.info
mh7jk12e.xyz
flygurlblogwordpress.com
goodbaddesign.com
equipmentrentalpartyplus.com
ohyoutube.com
projetoarvore.com
2379.flights
implemedescribed.com
kreasinesia.com
ownitoffice.com
fortekofteacizyemeknerde.store
my-wh-webproject.com
518499.com
naples-us.com
tlrohio.com
kanchava.com
lcloudfindin.com
cybermatrix.tech
i6lqi.xyz
ebay-online-selling-24.com
afrisectelecoms.com
tiantian997.xyz
strategyvenues.com
marketnear.watch
thebrooklynyogi.com
sonikbuilder.online
voyagesconsulting.com
ledgel0ungers.com
youhadtobethere.biz
disabled-long.com
dental-implants-encounter.life
zydssq.com
livingwell.green
doumao334.xyz
moodysoot.online
licos.xyz
maqitashop.com
doroos.online
laikemiao.com
petrolverse.xyz
apostolicpraise.net
todaychance.com
helightville.com
st-john-fisher-school.com
agwly.com
dashop.pro
zxc3426.xyz
Signatures
-
Xloader Payload 3 IoCs
resource yara_rule behavioral2/memory/4336-132-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/4336-138-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/1980-141-0x0000000000580000-0x00000000005AB000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4684 set thread context of 4336 4684 vbc.exe 86 PID 4336 set thread context of 648 4336 cvtres.exe 19 PID 1980 set thread context of 648 1980 cmd.exe 19 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4336 cvtres.exe 4336 cvtres.exe 4336 cvtres.exe 4336 cvtres.exe 1980 cmd.exe 1980 cmd.exe 1980 cmd.exe 1980 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4336 cvtres.exe 4336 cvtres.exe 4336 cvtres.exe 1980 cmd.exe 1980 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4684 vbc.exe Token: SeDebugPrivilege 4336 cvtres.exe Token: SeDebugPrivilege 1980 cmd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 4684 wrote to memory of 4336 4684 vbc.exe 86 PID 648 wrote to memory of 1980 648 Explorer.EXE 87 PID 648 wrote to memory of 1980 648 Explorer.EXE 87 PID 648 wrote to memory of 1980 648 Explorer.EXE 87
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1980
-