Analysis

  • max time kernel
    4265099s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17-01-2022 03:37

General

  • Target

    bunker inquiry_020100121.exe

  • Size

    272KB

  • MD5

    d700d80487e10f8b9ea5fb50b9e9109c

  • SHA1

    9177a19d76b09d4cde071a07ffb626c9bd4e3652

  • SHA256

    16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

  • SHA512

    e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe
      "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe
        "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
        3⤵
          PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:2080
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3236
          • C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
            "C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
              "C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
        • C:\Windows\system32\MusNotification.exe
          C:\Windows\system32\MusNotification.exe
          1⤵
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1644

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Collection

        Data from Local System

        1
        T1005

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
          MD5

          d700d80487e10f8b9ea5fb50b9e9109c

          SHA1

          9177a19d76b09d4cde071a07ffb626c9bd4e3652

          SHA256

          16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

          SHA512

          e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

        • C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
          MD5

          d700d80487e10f8b9ea5fb50b9e9109c

          SHA1

          9177a19d76b09d4cde071a07ffb626c9bd4e3652

          SHA256

          16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

          SHA512

          e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

        • C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
          MD5

          d700d80487e10f8b9ea5fb50b9e9109c

          SHA1

          9177a19d76b09d4cde071a07ffb626c9bd4e3652

          SHA256

          16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

          SHA512

          e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

        • C:\Users\Admin\AppData\Local\Temp\nsaA3E0.tmp\eekmeeht.dll
          MD5

          cac14ac261a8e2911027bbcced7466b3

          SHA1

          0d104ba98bbd11533b7999b434eb819a0bb61045

          SHA256

          521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4

          SHA512

          61c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3

        • C:\Users\Admin\AppData\Local\Temp\nsw8FC6.tmp\eekmeeht.dll
          MD5

          cac14ac261a8e2911027bbcced7466b3

          SHA1

          0d104ba98bbd11533b7999b434eb819a0bb61045

          SHA256

          521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4

          SHA512

          61c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3

        • C:\Users\Admin\AppData\Local\Temp\o1kjtsbsl9wgqa6sl4x0
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\Temp\txuxn
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/840-137-0x0000000000000000-mapping.dmp
        • memory/840-141-0x0000000002ED0000-0x000000000321A000-memory.dmp
          Filesize

          3.3MB

        • memory/840-142-0x0000000002D80000-0x0000000002E10000-memory.dmp
          Filesize

          576KB

        • memory/840-140-0x0000000002850000-0x0000000002879000-memory.dmp
          Filesize

          164KB

        • memory/840-139-0x0000000000160000-0x0000000000177000-memory.dmp
          Filesize

          92KB

        • memory/1688-146-0x0000000000000000-mapping.dmp
        • memory/2080-144-0x0000000000000000-mapping.dmp
        • memory/2412-143-0x0000000008420000-0x000000000852F000-memory.dmp
          Filesize

          1.1MB

        • memory/2412-136-0x0000000007AF0000-0x0000000007C64000-memory.dmp
          Filesize

          1.5MB

        • memory/2532-152-0x0000000000000000-mapping.dmp
        • memory/2532-155-0x00000000009D0000-0x0000000000D1A000-memory.dmp
          Filesize

          3.3MB

        • memory/2932-134-0x0000000000A50000-0x0000000000D9A000-memory.dmp
          Filesize

          3.3MB

        • memory/2932-132-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

        • memory/2932-135-0x00000000008F0000-0x0000000000901000-memory.dmp
          Filesize

          68KB

        • memory/2932-131-0x0000000000000000-mapping.dmp
        • memory/3520-138-0x0000000000000000-mapping.dmp