Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20230220-en
General
-
Target
vbc.exe
-
Size
812KB
-
MD5
4f57c474b77a208ee4d212894b3512d2
-
SHA1
41d369bc50e40fc80054e215d3b2ff44be10c08e
-
SHA256
abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
-
SHA512
0d7efaba27a0564ed224edc0fba642e93676d3c2c561a58887ca925870bc09eb1dda9b9617428247761386aff630ad052a832f698b054d434b82456e80707d25
-
SSDEEP
24576:0EXVZ9a++LeZLGjl66eaCku6e4XCi/EJq9:330LDJUaCG1wJq
Malware Config
Extracted
formbook
4.1
g2fg
snowcrash.website
pointman.us
newheartvalve.care
drandl.com
sandspringsramblers.com
programagubernamental.online
boja.us
mvrsnike.com
mentallyillmotherhood.com
facom.us
programagubernamental.store
izivente.com
roller-v.fr
amazonbioactives.com
metaverseapple.xyz
5gt-mobilevsverizon.com
gtwebsolutions.co
scottdunn.life
usdp.trade
pikmin.run
cardano-dogs.com
bf2hgfy.xyz
teslafoot.com
rubertquintana.com
wellsfargroewards.com
santel.us
couponatonline.com
theunitedhomeland.com
pmstnly.com
strlocal.com
shelleysmucker.com
youser.online
emansdesign.com
usnikeshoesbot.top
starfish.press
scotwork.us
metamorgana.com
onyxbx.net
rivas.company
firstcoastalfb.com
onpurposetraumainformedcare.com
celimot.xyz
jecunikepemej.rest
lenovolatenightit.com
unitedsterlingcompanyky.com
safety2venture.us
facebookismetanow.com
scottdunn.review
mentallyillmotherhood.com
firstincargo.com
vikavivi.com
investmenofpairs.club
nexans.cloud
farcloud.fr
ivermectinforhumans.quest
5gmalesdf.sbs
majenta.info
6vvvvvwmetam.top
metafirstclass.com
firstcoinnews.com
btcetffutures.online
funinfortmyers.com
mangoirslk.top
metaversebasicprivacy.com
blancheshelley.xyz
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/3984-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3984-185-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4484-189-0x0000000000F40000-0x0000000000F6F000-memory.dmp formbook behavioral2/memory/4484-196-0x0000000000F40000-0x0000000000F6F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3132 set thread context of 3984 3132 vbc.exe 93 PID 3984 set thread context of 3188 3984 vbc.exe 55 PID 4484 set thread context of 3188 4484 cmstp.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 64 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 5044 powershell.exe 3984 vbc.exe 3984 vbc.exe 3984 vbc.exe 3984 vbc.exe 5044 powershell.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe 4484 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3188 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3984 vbc.exe 3984 vbc.exe 3984 vbc.exe 4484 cmstp.exe 4484 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5044 powershell.exe Token: SeDebugPrivilege 3984 vbc.exe Token: SeDebugPrivilege 4484 cmstp.exe Token: SeShutdownPrivilege 3188 Explorer.EXE Token: SeCreatePagefilePrivilege 3188 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3132 wrote to memory of 5044 3132 vbc.exe 89 PID 3132 wrote to memory of 5044 3132 vbc.exe 89 PID 3132 wrote to memory of 5044 3132 vbc.exe 89 PID 3132 wrote to memory of 64 3132 vbc.exe 91 PID 3132 wrote to memory of 64 3132 vbc.exe 91 PID 3132 wrote to memory of 64 3132 vbc.exe 91 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3132 wrote to memory of 3984 3132 vbc.exe 93 PID 3188 wrote to memory of 4484 3188 Explorer.EXE 94 PID 3188 wrote to memory of 4484 3188 Explorer.EXE 94 PID 3188 wrote to memory of 4484 3188 Explorer.EXE 94 PID 4484 wrote to memory of 3532 4484 cmstp.exe 95 PID 4484 wrote to memory of 3532 4484 cmstp.exe 95 PID 4484 wrote to memory of 3532 4484 cmstp.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\afVxDcSOLVQXKW.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\afVxDcSOLVQXKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E55.tmp"3⤵
- Creates scheduled task(s)
PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵PID:3532
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d4d9a2d2770731633c487081a6aa4944
SHA19b6a1735ae35db6766f430e881caf58448dbf9cc
SHA256464ed1e0c34e06ea6c5dedbfa33ef93cec79d9ac4cd5937953ca9e78ebbe31b7
SHA512f174d9e2718dc2baa9a1b1f483a073ab0903d21f4ba45c121d34b03f17d3327dcc91df6da40c53c7d60cd94737eb0f01de7b503d97f0041445582e74ad546b6d