Analysis
-
max time kernel
160s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
bunker inquiry_mv setaii.exe
Resource
win7-en-20211208
General
-
Target
bunker inquiry_mv setaii.exe
-
Size
248KB
-
MD5
242a7a023efff4ca0bc7abdd3171feb8
-
SHA1
c33c534361745d93a30f0e5a86c87e38fc170210
-
SHA256
39cc0c369b8ce6f0570864f4ac0019abed40383a582aae1a13c34e2de08a7168
-
SHA512
e6f0157ef9c92270e45ecab19ee34c7d85d5104e621234efb9f386d3bc1a5afcd0d14a67882d3937d01d565ddc0c782a43ccecb0f99c84246c51653c4a801521
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/656-58-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/864-65-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 19 864 msiexec.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
bunker inquiry_mv setaii.exepid process 1628 bunker inquiry_mv setaii.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bunker inquiry_mv setaii.exebunker inquiry_mv setaii.exemsiexec.exedescription pid process target process PID 1628 set thread context of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 656 set thread context of 1260 656 bunker inquiry_mv setaii.exe Explorer.EXE PID 864 set thread context of 1260 864 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
bunker inquiry_mv setaii.exemsiexec.exepid process 656 bunker inquiry_mv setaii.exe 656 bunker inquiry_mv setaii.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe 864 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bunker inquiry_mv setaii.exemsiexec.exepid process 656 bunker inquiry_mv setaii.exe 656 bunker inquiry_mv setaii.exe 656 bunker inquiry_mv setaii.exe 864 msiexec.exe 864 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bunker inquiry_mv setaii.exemsiexec.exedescription pid process Token: SeDebugPrivilege 656 bunker inquiry_mv setaii.exe Token: SeDebugPrivilege 864 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
bunker inquiry_mv setaii.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1628 wrote to memory of 656 1628 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 1260 wrote to memory of 864 1260 Explorer.EXE msiexec.exe PID 864 wrote to memory of 1116 864 msiexec.exe cmd.exe PID 864 wrote to memory of 1116 864 msiexec.exe cmd.exe PID 864 wrote to memory of 1116 864 msiexec.exe cmd.exe PID 864 wrote to memory of 1116 864 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd9935.tmp\neicq.dllMD5
d50697c3b81e293127bf711efcf173b9
SHA1e9e6bdf7323c768cd451e9bfb0d87d739e2acfd7
SHA256401b59eaf0a0b4adc9549e0bf341ebfad51c281cdd9c9f0a08bc2c561ca246a1
SHA512f7f28c966d16acc2a8a4959a81a5b564e160d3c678b05de78206482b7d27bc52b170c38228a33fb28b8238ec83733ab15f8828da9b1af9409ca7ff800cd0ffb0
-
memory/656-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/656-60-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/656-61-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/864-64-0x0000000000C40000-0x0000000000C54000-memory.dmpFilesize
80KB
-
memory/864-65-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/864-66-0x0000000002330000-0x0000000002633000-memory.dmpFilesize
3.0MB
-
memory/864-67-0x0000000000A20000-0x0000000000AB0000-memory.dmpFilesize
576KB
-
memory/1260-62-0x00000000064C0000-0x00000000065C5000-memory.dmpFilesize
1.0MB
-
memory/1260-68-0x0000000007080000-0x00000000071C4000-memory.dmpFilesize
1.3MB
-
memory/1628-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1628-57-0x0000000001D50000-0x0000000001D52000-memory.dmpFilesize
8KB