Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:33 UTC

General

  • Target

    vbc.exe

  • Size

    575KB

  • MD5

    2986502fc991bed7cc87122bc481d5b4

  • SHA1

    45d8d4498052803984a49f880d874c659945fc0c

  • SHA256

    45de0a47d8bee8de67d818ea239f0f9c934c3299be3c3faefacb9e1e4800078c

  • SHA512

    54f3fc749923be12396af61b64bbeaf5b12e290159960517989b79d882d4a1ed2af6045a85987ac615b9da1d9232d63db5ceacbf4c907b5fd33735575c75a3d8

  • SSDEEP

    12288:zBqlwSPINx9zVGr5rg3xcnX5pPhdc2WjgDw:yDIxfErgAXc2WjgDw

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ns87

Decoy

hcjn998.com

y963257.xyz

upcrunchnow.com

adornor.online

boyhunters.com

mchaskell.com

bayanescort.xyz

jovinodossantossite.com

hubhosted.com

evertownnycapartments.net

mgav40.xyz

lfykjx.com

asscheekspizzaboi.com

chinacxq.com

abovecover.net

listingswithalex.com

hhcreativeartsociety.com

aryanagasosa.xyz

caesarpro.com

junanbolsas.online

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 3 IoCs
  • Deletes itself 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1272-23-0x0000000007320000-0x0000000007497000-memory.dmp

    Filesize

    1.5MB

  • memory/1272-19-0x0000000007320000-0x0000000007497000-memory.dmp

    Filesize

    1.5MB

  • memory/1272-18-0x0000000003A60000-0x0000000003B60000-memory.dmp

    Filesize

    1024KB

  • memory/1576-13-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

  • memory/1576-1-0x00000000008B0000-0x0000000000944000-memory.dmp

    Filesize

    592KB

  • memory/1576-2-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

  • memory/1576-3-0x00000000004F0000-0x00000000004FC000-memory.dmp

    Filesize

    48KB

  • memory/1576-4-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

  • memory/1576-5-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

  • memory/1576-6-0x0000000002020000-0x0000000002088000-memory.dmp

    Filesize

    416KB

  • memory/1576-0-0x000000007402E000-0x000000007402F000-memory.dmp

    Filesize

    4KB

  • memory/2832-7-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2832-14-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

    Filesize

    3.0MB

  • memory/2832-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2832-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2832-17-0x0000000000190000-0x00000000001A1000-memory.dmp

    Filesize

    68KB

  • memory/2832-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2832-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2928-21-0x0000000000FF0000-0x0000000001012000-memory.dmp

    Filesize

    136KB

  • memory/2928-20-0x0000000000FF0000-0x0000000001012000-memory.dmp

    Filesize

    136KB

  • memory/2928-22-0x0000000000070000-0x0000000000099000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.