Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20240903-en
General
-
Target
vbc.exe
-
Size
575KB
-
MD5
2986502fc991bed7cc87122bc481d5b4
-
SHA1
45d8d4498052803984a49f880d874c659945fc0c
-
SHA256
45de0a47d8bee8de67d818ea239f0f9c934c3299be3c3faefacb9e1e4800078c
-
SHA512
54f3fc749923be12396af61b64bbeaf5b12e290159960517989b79d882d4a1ed2af6045a85987ac615b9da1d9232d63db5ceacbf4c907b5fd33735575c75a3d8
-
SSDEEP
12288:zBqlwSPINx9zVGr5rg3xcnX5pPhdc2WjgDw:yDIxfErgAXc2WjgDw
Malware Config
Extracted
xloader
2.5
ns87
hcjn998.com
y963257.xyz
upcrunchnow.com
adornor.online
boyhunters.com
mchaskell.com
bayanescort.xyz
jovinodossantossite.com
hubhosted.com
evertownnycapartments.net
mgav40.xyz
lfykjx.com
asscheekspizzaboi.com
chinacxq.com
abovecover.net
listingswithalex.com
hhcreativeartsociety.com
aryanagasosa.xyz
caesarpro.com
junanbolsas.online
princessdogcloset.com
carollinaorganic.com
946abt.net
vitavieomax.com
beybey.bet
spider-king.com
basturmen.com
etriaf.com
postnyld.com
shopgcaothu.info
toyotabacninhcn.com
thebrattycat.com
babydogemoneymaker.com
physicalliteracy.info
desktop-exodus.com
bitrice23.com
sibo.care
xnsenxin.com
houseofharlowco.com
ff4ckcexr.xyz
machikado.info
villanerovino.com
customgatestexas.com
heqiangjx.com
skecherspromocje.com
miabellebeauty.com
witwiam.com
farmacyherbalapothecary.com
1courchevel.com
olapeb.com
connectmatchsupport.com
lostformailtoyof2.xyz
6congresolatinoamericanooid.com
tipsforgirldads.net
caimiwo.com
mangalyammakeover.com
alamedan.com
dontchooseextinction.net
corkincantorgroup.com
dublinhacks.com
milletw.com
autisticadhdcoach.com
lakesideshores.com
dannymarkphotography.com
rubberyslouka.xyz
Signatures
-
Xloader family
-
Xloader payload 5 IoCs
resource yara_rule behavioral2/memory/1784-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1784-17-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1784-21-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4820-29-0x00000000006B0000-0x00000000006D9000-memory.dmp xloader behavioral2/memory/4820-31-0x00000000006B0000-0x00000000006D9000-memory.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1388 set thread context of 1784 1388 vbc.exe 98 PID 1784 set thread context of 3412 1784 vbc.exe 56 PID 1784 set thread context of 3412 1784 vbc.exe 56 PID 4820 set thread context of 3412 4820 msiexec.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe 4820 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 1784 vbc.exe 4820 msiexec.exe 4820 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1784 vbc.exe Token: SeDebugPrivilege 4820 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 1388 wrote to memory of 1784 1388 vbc.exe 98 PID 3412 wrote to memory of 4820 3412 Explorer.EXE 99 PID 3412 wrote to memory of 4820 3412 Explorer.EXE 99 PID 3412 wrote to memory of 4820 3412 Explorer.EXE 99 PID 4820 wrote to memory of 2836 4820 msiexec.exe 101 PID 4820 wrote to memory of 2836 4820 msiexec.exe 101 PID 4820 wrote to memory of 2836 4820 msiexec.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-