Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220812-en
General
-
Target
vbc.exe
-
Size
448KB
-
MD5
0157a88e62b7651bf765bd4fbf73264c
-
SHA1
fba492f92871cbf674563578d3e91ccb4a412c71
-
SHA256
87a7b708cf5f194568ce728a77c5778078720d6ff6346ea269f0a5427398ad60
-
SHA512
821184beaa4e49af6e05583992ea98800a1494fcfe4c0d534dbb048dc2960208545432bb1c59c7f5cb69573bb2e7cb33d90904415c6563873ead802c4e4279c7
-
SSDEEP
12288:w1bVCfn7om/rE7KdHJaKZODGZ5N1Um4ObM1Mjc:w1ofn7X/9dJaSODGZ5f5hoajc
Malware Config
Extracted
formbook
dwdp
4DlAaMhdJtwJ15R2TZiMx6GwCg==
oilWdXwEy3OHItOqfLCNx6GwCg==
Ak8/PHhAG8EabtQ6
6M2Ej6pHE8pIcmJHMnpaZmZN50HzwA==
TbfoWsWBhyisR1OC/WI=
c9L5DAKvlT90Emj/mejR
Q52SsCG4oEvuFmMtB3U=
OpXGZzbo03aPI4RLsRqSjCi+4btteRj9
HXOuQvq3ok8Cm/9OCg==
NR7FUuGQbFKbPFOC/WI=
vCVkAKp/MCYvTA==
EIB9dcNoJczrDx1+2FMCpUWh
AelRyJUy6pU3TPPyep9VeiM=
pxM6rxHct23r9lOC/WI=
Jo+EpynW0bkd8EQ=
c93g9H4q6pCGbWGE6jGTmys=
KxeWJh3IeirmwBLvQ6xa5He4
Y18bQIZHI87qwl3/mejR
UDOSCrReNObV5g8I/0swTl5K50HzwA==
6Wum4j786IYvBgz/fu7G
WE4ZPZA9Damd/ts0fJ9VeiM=
/t2IjaZVOgAz25JBBTgmlCaWfOZZVDg=
Z98NDw7Qo1vfdVj3A2Q=
pZRR+bBDAaVJ4noF6zksdaO5U5m67UpCyg==
0ElEhBa+nFA+UEn+Dh4VEA==
gXf7eDj108gj7e6xi+pc513iqaU=
cFz/pD7muXS6lJVRHw==
aVnbem8uEbxIXP36xgHfBw==
HQlrGyPOok11FLtmNZqJx6GwCg==
MwzH3feUSej9l2dIKJSYrrS1U5m67UpCyg==
AHbMSjNP55iz
GAZORVxP55iz
Oq6vwAWaeB7UZ6hYHQ==
zEAtZ+ytoj3ZZ6hYHQ==
rAfyBEXLhyYxTl/OTrAfx6GwCg==
18d4nNJ9VvopA8h3SZ5a5He4
dKj37qc0F70abtQ6
dtXiZCe8g0DVa2GE6jGTmys=
1TwrUcyJMCYvTA==
Oh97GfzNmz3debrl/11Dpis=
ZUurN/7Fckzrsea8Imo=
g9X+HmcU2YGqxt//fu7G
qKJdXlnnr0xHoa6Nd9TZ
pX/hd2YsDqXNltuKf+PZ
8G+oOteOhii73yvEpPHT
Xk7IPuiKWvyv017/mejR
3MY2uHs8B6ItvKATmPlReimt/SlO
qY0Dx+PQbCpd+lv/mejR
QCuKCsNMCb5HEBD/fu7G
4j12D6t/MCYvTA==
AKG9wcOPD625
7U5TV7BjXwS/kX7vYa4PSTSEiK0=
nwnn/2sqCaiduNA1f59VeiM=
LpDOWAmifStd9lv/mejR
QqGXpOmWRfqKrD6id9Gr88S+Ew==
r4r7hEIC9apiOlOC/WI=
Ny/s8P+4fSqjMgJh90okGjJG50HzwA==
Yb/udvywew6tVKJ5wxvtGEJK50HzwA==
EQPGycyRejDarZfwTKIbx6GwCg==
spgJj2oQybkxTeG8HGo=
TrP2c/a2dxg/BGb/mejR
pYc8Unok/KakiKmSZXTOjDSEiK0=
f1/MZDffs2YQ4NQ0f59VeiM=
T0eBXUr+2JaMIVs=
onlinehealthclubs-d.site
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exeCasPol.exesvchost.exedescription pid process target process PID 4876 set thread context of 2616 4876 vbc.exe CasPol.exe PID 2616 set thread context of 2548 2616 CasPol.exe Explorer.EXE PID 3632 set thread context of 2548 3632 svchost.exe Explorer.EXE -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
vbc.exeCasPol.exesvchost.exepid process 4876 vbc.exe 4876 vbc.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2548 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
CasPol.exesvchost.exepid process 2616 CasPol.exe 2616 CasPol.exe 2616 CasPol.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe 3632 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exeCasPol.exesvchost.exedescription pid process Token: SeDebugPrivilege 4876 vbc.exe Token: SeDebugPrivilege 2616 CasPol.exe Token: SeDebugPrivilege 3632 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vbc.exeExplorer.EXEsvchost.exedescription pid process target process PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 4876 wrote to memory of 2616 4876 vbc.exe CasPol.exe PID 2548 wrote to memory of 3632 2548 Explorer.EXE svchost.exe PID 2548 wrote to memory of 3632 2548 Explorer.EXE svchost.exe PID 2548 wrote to memory of 3632 2548 Explorer.EXE svchost.exe PID 3632 wrote to memory of 2116 3632 svchost.exe Firefox.exe PID 3632 wrote to memory of 2116 3632 svchost.exe Firefox.exe PID 3632 wrote to memory of 2116 3632 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2548-153-0x0000000003440000-0x00000000034ED000-memory.dmpFilesize
692KB
-
memory/2548-151-0x0000000003440000-0x00000000034ED000-memory.dmpFilesize
692KB
-
memory/2548-143-0x00000000087C0000-0x0000000008962000-memory.dmpFilesize
1.6MB
-
memory/2616-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2616-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2616-135-0x00000000004012B0-mapping.dmp
-
memory/2616-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2616-139-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/2616-141-0x0000000000B30000-0x0000000000E7A000-memory.dmpFilesize
3.3MB
-
memory/2616-142-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/2616-146-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3632-144-0x0000000000000000-mapping.dmp
-
memory/3632-147-0x0000000000670000-0x000000000067E000-memory.dmpFilesize
56KB
-
memory/3632-149-0x0000000000530000-0x000000000055D000-memory.dmpFilesize
180KB
-
memory/3632-148-0x0000000001200000-0x000000000154A000-memory.dmpFilesize
3.3MB
-
memory/3632-150-0x0000000001090000-0x000000000111F000-memory.dmpFilesize
572KB
-
memory/3632-152-0x0000000000530000-0x000000000055D000-memory.dmpFilesize
180KB
-
memory/4876-132-0x000002BAB7660000-0x000002BAB76D4000-memory.dmpFilesize
464KB
-
memory/4876-137-0x00007FF8611F0000-0x00007FF861CB1000-memory.dmpFilesize
10.8MB
-
memory/4876-133-0x00007FF8611F0000-0x00007FF861CB1000-memory.dmpFilesize
10.8MB