Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-01-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
bunker inquiry_020100121.exe
Resource
win7-en-20211208
General
-
Target
bunker inquiry_020100121.exe
-
Size
272KB
-
MD5
d700d80487e10f8b9ea5fb50b9e9109c
-
SHA1
9177a19d76b09d4cde071a07ffb626c9bd4e3652
-
SHA256
16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
-
SHA512
e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/584-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/584-57-0x000000000041D440-mapping.dmp xloader behavioral1/memory/560-65-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 452 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
bunker inquiry_020100121.exepid process 1624 bunker inquiry_020100121.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bunker inquiry_020100121.exebunker inquiry_020100121.exeNAPSTAT.EXEdescription pid process target process PID 1624 set thread context of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 584 set thread context of 1404 584 bunker inquiry_020100121.exe Explorer.EXE PID 560 set thread context of 1404 560 NAPSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
bunker inquiry_020100121.exeNAPSTAT.EXEpid process 584 bunker inquiry_020100121.exe 584 bunker inquiry_020100121.exe 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE 560 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bunker inquiry_020100121.exeNAPSTAT.EXEpid process 584 bunker inquiry_020100121.exe 584 bunker inquiry_020100121.exe 584 bunker inquiry_020100121.exe 560 NAPSTAT.EXE 560 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bunker inquiry_020100121.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 584 bunker inquiry_020100121.exe Token: SeDebugPrivilege 560 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bunker inquiry_020100121.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1624 wrote to memory of 584 1624 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1404 wrote to memory of 560 1404 Explorer.EXE NAPSTAT.EXE PID 1404 wrote to memory of 560 1404 Explorer.EXE NAPSTAT.EXE PID 1404 wrote to memory of 560 1404 Explorer.EXE NAPSTAT.EXE PID 1404 wrote to memory of 560 1404 Explorer.EXE NAPSTAT.EXE PID 560 wrote to memory of 452 560 NAPSTAT.EXE cmd.exe PID 560 wrote to memory of 452 560 NAPSTAT.EXE cmd.exe PID 560 wrote to memory of 452 560 NAPSTAT.EXE cmd.exe PID 560 wrote to memory of 452 560 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyAC0A.tmp\eekmeeht.dllMD5
cac14ac261a8e2911027bbcced7466b3
SHA10d104ba98bbd11533b7999b434eb819a0bb61045
SHA256521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4
SHA51261c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3
-
memory/452-63-0x0000000000000000-mapping.dmp
-
memory/560-62-0x0000000000000000-mapping.dmp
-
memory/560-67-0x0000000000880000-0x0000000000910000-memory.dmpFilesize
576KB
-
memory/560-66-0x0000000001F30000-0x0000000002233000-memory.dmpFilesize
3.0MB
-
memory/560-65-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/560-64-0x00000000002B0000-0x00000000002F6000-memory.dmpFilesize
280KB
-
memory/584-57-0x000000000041D440-mapping.dmp
-
memory/584-61-0x0000000000480000-0x0000000000491000-memory.dmpFilesize
68KB
-
memory/584-59-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/584-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1404-60-0x00000000071A0000-0x0000000007330000-memory.dmpFilesize
1.6MB
-
memory/1404-68-0x0000000006AF0000-0x0000000006C34000-memory.dmpFilesize
1.3MB
-
memory/1624-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB