Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 15:03
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20220812-en
General
-
Target
vbc.exe
-
Size
226KB
-
MD5
27b4c55d335f86868e234f8aa79ca058
-
SHA1
1ecc8c5fefd7ad001b37078bd79d68f4331dc9ba
-
SHA256
48fcd109b51adcad58459318c092f4b6e8e5dcca682f9d60e1592e53dbb6174b
-
SHA512
e2c11d73be4c98dd7ddeab92898020e7bc2c9df16d99a4f2a54e4d5d5b3fbcb6c34c1869974fd43044535910756d058a761520a922dc0249ba93cfa963eec617
-
SSDEEP
6144:QBn1XvXjPujhRD+dVfowhWJ2lBFlrggcZ:gfXjPyYVfoz0lnZKZ
Malware Config
Extracted
formbook
f4ca
omFHB5ajfJi1UEIEV9XcoRw=
UBjJkmQPyprdhcFF/bdCWQ==
evGKkBUj1je+otcfpw==
KgvGVeOATSt3nug0BIOm2JvOQycB
Lv6o3K0r9aSjI0lr9fg1txw=
LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=
99dte0XauJfk6Xv+uQxJFgA1gMktBA==
21FkkGB9gMniDQw2ffu6
r4lKBM/q6TZwVZfS
F+14qHeVWi56KdQ=
BgWXRsVoICMvvQ==
I+EozFl0Uy56KdQ=
xoXCgEllKEbWfjFCCLo=
qo9G1lXvvGt5GkxrLQWw
ORNlYic0PJ2ip4geEFSv
Yj+GFpvFxy0uVYx1fLI/XQ==
XL+veIKPjOTe4fjvFs+n
D2JKVAfuakXCAyoEvw==
voWJU81tH56wvt/vImbCcgVd
dVEcwFrmb8bZ4vXvFs+n
CMlcaOUF6cB+8Bnm2Kc=
NpYV3moXNE+ZQ4f9nVGCSA==
/GRkjGd1acLHyeLvImbCcgVd
R52MlF+Ag+LtFr1QKa7Zf/5a
kVD/mSO1YK75pA==
5q3IANfo/JHiDww2ffu6
4i8RFOH2ACRdhzja
VLWOSRe00XX6sNsijPzqiiWfFgf1J+g=
qnsgRFL46lWG
xo1QHOyKS9rj4fjvFs+n
mIHZlAqzS6ymmpMCU1uyZgE=
WCtjiGCFl/4JTiJ0R60=
c0vpAtZ3fY7TeLfdcnASQg==
Y87Xlic9/1+q3g/pUArVoB4=
kKOsRsf05wBOd67a
dDmgYgOZZ0aCMVwgDha4bgc=
ieXCbvcCyja+otcfpw==
Fd0XQwkTHHaBmNDvImbCcgVd
PK/M6eM8xOwqvw==
Pf0q8MdfICMvvQ==
EO8aPQwf7z2Du+XvImbCcgVd
BeUisSg/Ql6uJcg=
ay2v2pz4gomTESLosQ==
AGjX3ak2B+FyQ9ZKrQ==
Du0y0UXomyoxT4/arA8Du3FvpwE=
xhV7OrDTdonq4fjvFs+n
9+s2xTlaW66p2IAAnVkDQA==
AuS2UeN4Nsvl5vo8J67Zf/5a
B1vK2590RiUuuw==
/709BIUfMCIln8sus2u2aAM=
BMpYckjp699wVZfS
Pf2AqIscEhlpHlnV18IvVQk=
RKUTxUbz/zFroN/LLq+kIdZM
IuuiQ9pj7ZzciLVPiks4Rxc=
0KBn8XAV7NNm2xPxuA==
nv7yBtDj4UNE/ju8er1EZSanBXfyLv4=
sBgf41X1vKTwUspTsg==
5bk4+oQWD+X01tBEqQ==
c08KjxWnau8DDSsESMKNI+P5G/6/sYjU6g==
RJiyeEVj/N3rhNAW3qU=
v6O7hhQxA//+Oyq2ms9DWQ==
7MdHCYCb4OT5pg==
Je0NLgIfKIeFuyjxYD+i
68P+tIkhBdlwVZfS
inthecryptolane.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
kkkwip.exekkkwip.exepid process 5032 kkkwip.exe 4572 kkkwip.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kkkwip.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation kkkwip.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
kkkwip.exekkkwip.exerundll32.exedescription pid process target process PID 5032 set thread context of 4572 5032 kkkwip.exe kkkwip.exe PID 4572 set thread context of 2640 4572 kkkwip.exe Explorer.EXE PID 1124 set thread context of 2640 1124 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
kkkwip.exerundll32.exepid process 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
kkkwip.exekkkwip.exerundll32.exepid process 5032 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 4572 kkkwip.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe 1124 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kkkwip.exerundll32.exedescription pid process Token: SeDebugPrivilege 4572 kkkwip.exe Token: SeDebugPrivilege 1124 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
vbc.exekkkwip.exeExplorer.EXErundll32.exedescription pid process target process PID 5012 wrote to memory of 5032 5012 vbc.exe kkkwip.exe PID 5012 wrote to memory of 5032 5012 vbc.exe kkkwip.exe PID 5012 wrote to memory of 5032 5012 vbc.exe kkkwip.exe PID 5032 wrote to memory of 4572 5032 kkkwip.exe kkkwip.exe PID 5032 wrote to memory of 4572 5032 kkkwip.exe kkkwip.exe PID 5032 wrote to memory of 4572 5032 kkkwip.exe kkkwip.exe PID 5032 wrote to memory of 4572 5032 kkkwip.exe kkkwip.exe PID 2640 wrote to memory of 1124 2640 Explorer.EXE rundll32.exe PID 2640 wrote to memory of 1124 2640 Explorer.EXE rundll32.exe PID 2640 wrote to memory of 1124 2640 Explorer.EXE rundll32.exe PID 1124 wrote to memory of 4260 1124 rundll32.exe Firefox.exe PID 1124 wrote to memory of 4260 1124 rundll32.exe Firefox.exe PID 1124 wrote to memory of 4260 1124 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kkkwip.exe"C:\Users\Admin\AppData\Local\Temp\kkkwip.exe" C:\Users\Admin\AppData\Local\Temp\xtbjmdn.oa3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kkkwip.exe"C:\Users\Admin\AppData\Local\Temp\kkkwip.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hlcjqqbiwe.oFilesize
185KB
MD508802e2334fc7a7e96163ab9ffcf1e5b
SHA1bef786f25b7fcdae25667884cf6d1ebf700f9235
SHA2565b4a3315959525220d36bf43e36fedb57c84803806a0193f94bbc6718eda893a
SHA512ffdaf485c4fec423b85c01d5946803fa539d9a23fadcf4d120444a623fd3f3a9e853f5ff7a6a39958a379a398b9f3a84633c3d1fc7d1fc6774a280b71533700f
-
C:\Users\Admin\AppData\Local\Temp\kkkwip.exeFilesize
11KB
MD5f485d2be0df438d4714137d8d50d61d9
SHA13de101c55aee16e8f3f8b33394fe811ad3445921
SHA2567a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38
SHA512df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346
-
C:\Users\Admin\AppData\Local\Temp\kkkwip.exeFilesize
11KB
MD5f485d2be0df438d4714137d8d50d61d9
SHA13de101c55aee16e8f3f8b33394fe811ad3445921
SHA2567a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38
SHA512df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346
-
C:\Users\Admin\AppData\Local\Temp\kkkwip.exeFilesize
11KB
MD5f485d2be0df438d4714137d8d50d61d9
SHA13de101c55aee16e8f3f8b33394fe811ad3445921
SHA2567a948b4cb33932b5aa4eb990671d6aafff3a8deceb0d9cdc55ed4ecf4924ce38
SHA512df9e2c41ac8778f8ee21adda46c9c4fe0dde22242e20676c42efef23b6354d4a025eaba14175cb9d0113b5153db4024a673d0f2687f8a56ad39c5580df880346
-
C:\Users\Admin\AppData\Local\Temp\xtbjmdn.oaFilesize
5KB
MD5a5cd02ce4509c4505db1c1e97f6bcd9f
SHA1bdbdb5a12668d23097651f982aa5c7946ec66398
SHA25689caa0fe5b8024fa4c49bb5e5dcff2dd9cccba8989de27bbd3bce6ec61610f41
SHA51269d4a424124eed8b73edbf215b37bb3bba0367ee533ec2a864551cc700c314a1fad4e5dbce755b852d6e8cf11458490fbe76cd83bfc07ceb09654ba681e456dd
-
memory/1124-147-0x0000000000D10000-0x0000000000D24000-memory.dmpFilesize
80KB
-
memory/1124-152-0x00000000003C0000-0x00000000003ED000-memory.dmpFilesize
180KB
-
memory/1124-150-0x00000000022D0000-0x000000000235F000-memory.dmpFilesize
572KB
-
memory/1124-149-0x0000000002490000-0x00000000027DA000-memory.dmpFilesize
3.3MB
-
memory/1124-144-0x0000000000000000-mapping.dmp
-
memory/1124-148-0x00000000003C0000-0x00000000003ED000-memory.dmpFilesize
180KB
-
memory/2640-153-0x0000000003290000-0x0000000003357000-memory.dmpFilesize
796KB
-
memory/2640-151-0x0000000003290000-0x0000000003357000-memory.dmpFilesize
796KB
-
memory/2640-143-0x00000000085A0000-0x00000000086F0000-memory.dmpFilesize
1.3MB
-
memory/4572-137-0x0000000000000000-mapping.dmp
-
memory/4572-146-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4572-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4572-142-0x0000000000B30000-0x0000000000B40000-memory.dmpFilesize
64KB
-
memory/4572-141-0x00000000010B0000-0x00000000013FA000-memory.dmpFilesize
3.3MB
-
memory/4572-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4572-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5032-132-0x0000000000000000-mapping.dmp