Analysis
-
max time kernel
4265099s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
bunker inquiry_020100121.exe
Resource
win7-en-20211208
General
-
Target
bunker inquiry_020100121.exe
-
Size
272KB
-
MD5
d700d80487e10f8b9ea5fb50b9e9109c
-
SHA1
9177a19d76b09d4cde071a07ffb626c9bd4e3652
-
SHA256
16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
-
SHA512
e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2932-132-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/840-140-0x0000000002850000-0x0000000002879000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MJUXXVE0HP = "C:\\Program Files (x86)\\Jjnqp\\pzylb6bzu.exe" wlanext.exe -
Executes dropped EXE 2 IoCs
Processes:
pzylb6bzu.exepzylb6bzu.exepid process 1688 pzylb6bzu.exe 2532 pzylb6bzu.exe -
Loads dropped DLL 2 IoCs
Processes:
bunker inquiry_020100121.exepzylb6bzu.exepid process 1464 bunker inquiry_020100121.exe 1688 pzylb6bzu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
bunker inquiry_020100121.exebunker inquiry_020100121.exewlanext.exepzylb6bzu.exedescription pid process target process PID 1464 set thread context of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 2932 set thread context of 2412 2932 bunker inquiry_020100121.exe Explorer.EXE PID 840 set thread context of 2412 840 wlanext.exe Explorer.EXE PID 1688 set thread context of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe -
Drops file in Program Files directory 4 IoCs
Processes:
wlanext.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe wlanext.exe File opened for modification C:\Program Files (x86)\Jjnqp Explorer.EXE File created C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_1 C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_2 C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_1 C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_2 C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_1 C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bunker inquiry_020100121.exewlanext.exepzylb6bzu.exepid process 2932 bunker inquiry_020100121.exe 2932 bunker inquiry_020100121.exe 2932 bunker inquiry_020100121.exe 2932 bunker inquiry_020100121.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 2532 pzylb6bzu.exe 2532 pzylb6bzu.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
bunker inquiry_020100121.exewlanext.exepid process 2932 bunker inquiry_020100121.exe 2932 bunker inquiry_020100121.exe 2932 bunker inquiry_020100121.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe 840 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
bunker inquiry_020100121.exewlanext.exeMusNotification.exeExplorer.EXEpzylb6bzu.exedescription pid process Token: SeDebugPrivilege 2932 bunker inquiry_020100121.exe Token: SeDebugPrivilege 840 wlanext.exe Token: SeShutdownPrivilege 1644 MusNotification.exe Token: SeCreatePagefilePrivilege 1644 MusNotification.exe Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeDebugPrivilege 2532 pzylb6bzu.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
bunker inquiry_020100121.exeExplorer.EXEwlanext.exepzylb6bzu.exedescription pid process target process PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 1464 wrote to memory of 2932 1464 bunker inquiry_020100121.exe bunker inquiry_020100121.exe PID 2412 wrote to memory of 840 2412 Explorer.EXE wlanext.exe PID 2412 wrote to memory of 840 2412 Explorer.EXE wlanext.exe PID 2412 wrote to memory of 840 2412 Explorer.EXE wlanext.exe PID 840 wrote to memory of 3520 840 wlanext.exe cmd.exe PID 840 wrote to memory of 3520 840 wlanext.exe cmd.exe PID 840 wrote to memory of 3520 840 wlanext.exe cmd.exe PID 840 wrote to memory of 2080 840 wlanext.exe cmd.exe PID 840 wrote to memory of 2080 840 wlanext.exe cmd.exe PID 840 wrote to memory of 2080 840 wlanext.exe cmd.exe PID 840 wrote to memory of 3236 840 wlanext.exe Firefox.exe PID 840 wrote to memory of 3236 840 wlanext.exe Firefox.exe PID 2412 wrote to memory of 1688 2412 Explorer.EXE pzylb6bzu.exe PID 2412 wrote to memory of 1688 2412 Explorer.EXE pzylb6bzu.exe PID 2412 wrote to memory of 1688 2412 Explorer.EXE pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 1688 wrote to memory of 2532 1688 pzylb6bzu.exe pzylb6bzu.exe PID 840 wrote to memory of 3236 840 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exeMD5
d700d80487e10f8b9ea5fb50b9e9109c
SHA19177a19d76b09d4cde071a07ffb626c9bd4e3652
SHA25616e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
SHA512e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
-
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exeMD5
d700d80487e10f8b9ea5fb50b9e9109c
SHA19177a19d76b09d4cde071a07ffb626c9bd4e3652
SHA25616e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
SHA512e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
-
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exeMD5
d700d80487e10f8b9ea5fb50b9e9109c
SHA19177a19d76b09d4cde071a07ffb626c9bd4e3652
SHA25616e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
SHA512e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\nsaA3E0.tmp\eekmeeht.dllMD5
cac14ac261a8e2911027bbcced7466b3
SHA10d104ba98bbd11533b7999b434eb819a0bb61045
SHA256521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4
SHA51261c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3
-
C:\Users\Admin\AppData\Local\Temp\nsw8FC6.tmp\eekmeeht.dllMD5
cac14ac261a8e2911027bbcced7466b3
SHA10d104ba98bbd11533b7999b434eb819a0bb61045
SHA256521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4
SHA51261c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3
-
C:\Users\Admin\AppData\Local\Temp\o1kjtsbsl9wgqa6sl4x0MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\txuxnMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/840-137-0x0000000000000000-mapping.dmp
-
memory/840-141-0x0000000002ED0000-0x000000000321A000-memory.dmpFilesize
3.3MB
-
memory/840-142-0x0000000002D80000-0x0000000002E10000-memory.dmpFilesize
576KB
-
memory/840-140-0x0000000002850000-0x0000000002879000-memory.dmpFilesize
164KB
-
memory/840-139-0x0000000000160000-0x0000000000177000-memory.dmpFilesize
92KB
-
memory/1688-146-0x0000000000000000-mapping.dmp
-
memory/2080-144-0x0000000000000000-mapping.dmp
-
memory/2412-143-0x0000000008420000-0x000000000852F000-memory.dmpFilesize
1.1MB
-
memory/2412-136-0x0000000007AF0000-0x0000000007C64000-memory.dmpFilesize
1.5MB
-
memory/2532-152-0x0000000000000000-mapping.dmp
-
memory/2532-155-0x00000000009D0000-0x0000000000D1A000-memory.dmpFilesize
3.3MB
-
memory/2932-134-0x0000000000A50000-0x0000000000D9A000-memory.dmpFilesize
3.3MB
-
memory/2932-132-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2932-135-0x00000000008F0000-0x0000000000901000-memory.dmpFilesize
68KB
-
memory/2932-131-0x0000000000000000-mapping.dmp
-
memory/3520-138-0x0000000000000000-mapping.dmp