Analysis

  • max time kernel
    36s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21/06/2022, 08:55

General

  • Target

    vbc.exe

  • Size

    302KB

  • MD5

    0236dcc27cfb3d09325c976002567985

  • SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

  • SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

  • SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4336
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1980

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/648-136-0x0000000002590000-0x0000000002688000-memory.dmp

          Filesize

          992KB

        • memory/1980-139-0x0000000000050000-0x00000000000AA000-memory.dmp

          Filesize

          360KB

        • memory/1980-140-0x0000000001130000-0x000000000147A000-memory.dmp

          Filesize

          3.3MB

        • memory/1980-141-0x0000000000580000-0x00000000005AB000-memory.dmp

          Filesize

          172KB

        • memory/1980-142-0x0000000000F60000-0x0000000000FF0000-memory.dmp

          Filesize

          576KB

        • memory/4336-132-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

        • memory/4336-134-0x00000000012B0000-0x00000000015FA000-memory.dmp

          Filesize

          3.3MB

        • memory/4336-135-0x0000000001270000-0x0000000001281000-memory.dmp

          Filesize

          68KB

        • memory/4336-138-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

        • memory/4684-130-0x0000000000720000-0x0000000000772000-memory.dmp

          Filesize

          328KB