Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 20:33 UTC
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20240903-en
General
-
Target
vbc.exe
-
Size
575KB
-
MD5
2986502fc991bed7cc87122bc481d5b4
-
SHA1
45d8d4498052803984a49f880d874c659945fc0c
-
SHA256
45de0a47d8bee8de67d818ea239f0f9c934c3299be3c3faefacb9e1e4800078c
-
SHA512
54f3fc749923be12396af61b64bbeaf5b12e290159960517989b79d882d4a1ed2af6045a85987ac615b9da1d9232d63db5ceacbf4c907b5fd33735575c75a3d8
-
SSDEEP
12288:zBqlwSPINx9zVGr5rg3xcnX5pPhdc2WjgDw:yDIxfErgAXc2WjgDw
Malware Config
Extracted
xloader
2.5
ns87
hcjn998.com
y963257.xyz
upcrunchnow.com
adornor.online
boyhunters.com
mchaskell.com
bayanescort.xyz
jovinodossantossite.com
hubhosted.com
evertownnycapartments.net
mgav40.xyz
lfykjx.com
asscheekspizzaboi.com
chinacxq.com
abovecover.net
listingswithalex.com
hhcreativeartsociety.com
aryanagasosa.xyz
caesarpro.com
junanbolsas.online
princessdogcloset.com
carollinaorganic.com
946abt.net
vitavieomax.com
beybey.bet
spider-king.com
basturmen.com
etriaf.com
postnyld.com
shopgcaothu.info
toyotabacninhcn.com
thebrattycat.com
babydogemoneymaker.com
physicalliteracy.info
desktop-exodus.com
bitrice23.com
sibo.care
xnsenxin.com
houseofharlowco.com
ff4ckcexr.xyz
machikado.info
villanerovino.com
customgatestexas.com
heqiangjx.com
skecherspromocje.com
miabellebeauty.com
witwiam.com
farmacyherbalapothecary.com
1courchevel.com
olapeb.com
connectmatchsupport.com
lostformailtoyof2.xyz
6congresolatinoamericanooid.com
tipsforgirldads.net
caimiwo.com
mangalyammakeover.com
alamedan.com
dontchooseextinction.net
corkincantorgroup.com
dublinhacks.com
milletw.com
autisticadhdcoach.com
lakesideshores.com
dannymarkphotography.com
rubberyslouka.xyz
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/2832-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2832-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2928-22-0x0000000000070000-0x0000000000099000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 2176 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1576 set thread context of 2832 1576 vbc.exe 31 PID 2832 set thread context of 1272 2832 vbc.exe 21 PID 2928 set thread context of 1272 2928 cscript.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2832 vbc.exe 2832 vbc.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe 2928 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2832 vbc.exe 2832 vbc.exe 2832 vbc.exe 2928 cscript.exe 2928 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2832 vbc.exe Token: SeDebugPrivilege 2928 cscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1576 wrote to memory of 2832 1576 vbc.exe 31 PID 1272 wrote to memory of 2928 1272 Explorer.EXE 32 PID 1272 wrote to memory of 2928 1272 Explorer.EXE 32 PID 1272 wrote to memory of 2928 1272 Explorer.EXE 32 PID 1272 wrote to memory of 2928 1272 Explorer.EXE 32 PID 2928 wrote to memory of 2176 2928 cscript.exe 33 PID 2928 wrote to memory of 2176 2928 cscript.exe 33 PID 2928 wrote to memory of 2176 2928 cscript.exe 33 PID 2928 wrote to memory of 2176 2928 cscript.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2176
-
-