Analysis Overview
SHA256
e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d
Threat Level: Known bad
The file vbc.exe.vir was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Xloader Payload
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 08:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 08:55
Reported
2022-06-21 08:57
Platform
win7-20220414-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1712 set thread context of 1204 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1252 set thread context of 1204 | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | C:\Windows\Explorer.EXE |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.leaplifestyleenterprises.com | udp |
| US | 34.117.168.233:80 | www.leaplifestyleenterprises.com | tcp |
| US | 8.8.8.8:53 | www.naples-us.com | udp |
| US | 34.102.136.180:80 | www.naples-us.com | tcp |
| US | 8.8.8.8:53 | www.tlrohio.com | udp |
| US | 34.102.136.180:80 | www.tlrohio.com | tcp |
| US | 8.8.8.8:53 | www.ledgel0ungers.com | udp |
| DE | 185.53.179.174:80 | www.ledgel0ungers.com | tcp |
| US | 8.8.8.8:53 | www.518499.com | udp |
| US | 192.151.224.140:80 | www.518499.com | tcp |
| US | 8.8.8.8:53 | www.my-wh-webproject.com | udp |
| US | 18.65.39.80:80 | www.my-wh-webproject.com | tcp |
| US | 8.8.8.8:53 | www.ownitoffice.com | udp |
| US | 35.209.201.133:80 | www.ownitoffice.com | tcp |
| US | 8.8.8.8:53 | www.zxc3426.xyz | udp |
| HK | 143.92.32.141:80 | www.zxc3426.xyz | tcp |
| US | 8.8.8.8:53 | www.aitimedia.net | udp |
| US | 104.21.40.194:80 | www.aitimedia.net | tcp |
| US | 8.8.8.8:53 | www.rapiturs.com | udp |
| US | 162.213.255.237:80 | www.rapiturs.com | tcp |
| US | 8.8.8.8:53 | www.mrsfence.com | udp |
| US | 34.102.136.180:80 | www.mrsfence.com | tcp |
| US | 34.102.136.180:80 | www.mrsfence.com | tcp |
| US | 8.8.8.8:53 | www.bcsantacoloma.online | udp |
| ES | 31.214.178.120:80 | www.bcsantacoloma.online | tcp |
| ES | 31.214.178.120:80 | www.bcsantacoloma.online | tcp |
| US | 8.8.8.8:53 | www.2379.flights | udp |
| CN | 160.202.171.101:80 | www.2379.flights | tcp |
| CN | 160.202.171.101:80 | www.2379.flights | tcp |
| US | 8.8.8.8:53 | www.youhadtobethere.biz | udp |
| US | 15.197.142.173:80 | www.youhadtobethere.biz | tcp |
| US | 15.197.142.173:80 | www.youhadtobethere.biz | tcp |
Files
memory/1792-54-0x0000000000C10000-0x0000000000C62000-memory.dmp
memory/1792-55-0x00000000003E0000-0x0000000000414000-memory.dmp
memory/1712-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1712-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1712-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1712-60-0x000000000041F280-mapping.dmp
memory/1712-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1712-63-0x0000000000B90000-0x0000000000E93000-memory.dmp
memory/1712-64-0x0000000000280000-0x0000000000291000-memory.dmp
memory/1204-65-0x00000000068D0000-0x00000000069EB000-memory.dmp
memory/1252-66-0x0000000000000000-mapping.dmp
memory/1252-67-0x00000000008E0000-0x0000000000926000-memory.dmp
memory/1252-68-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1252-69-0x0000000002000000-0x0000000002303000-memory.dmp
memory/1252-70-0x0000000001DB0000-0x0000000001E40000-memory.dmp
memory/1204-71-0x0000000006EF0000-0x000000000703C000-memory.dmp
memory/1204-72-0x0000000006EF0000-0x000000000703C000-memory.dmp
memory/1252-73-0x0000000076461000-0x0000000076463000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 08:55
Reported
2022-06-21 08:57
Platform
win10v2004-20220414-en
Max time kernel
36s
Max time network
76s
Command Line
Signatures
Xloader
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4684 set thread context of 4336 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 4336 set thread context of 648 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1980 set thread context of 648 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
memory/4684-130-0x0000000000720000-0x0000000000772000-memory.dmp
memory/4336-131-0x0000000000000000-mapping.dmp
memory/4336-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4336-134-0x00000000012B0000-0x00000000015FA000-memory.dmp
memory/4336-135-0x0000000001270000-0x0000000001281000-memory.dmp
memory/648-136-0x0000000002590000-0x0000000002688000-memory.dmp
memory/1980-137-0x0000000000000000-mapping.dmp
memory/4336-138-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1980-139-0x0000000000050000-0x00000000000AA000-memory.dmp
memory/1980-140-0x0000000001130000-0x000000000147A000-memory.dmp
memory/1980-141-0x0000000000580000-0x00000000005AB000-memory.dmp
memory/1980-142-0x0000000000F60000-0x0000000000FF0000-memory.dmp