Analysis
-
max time kernel
193s -
max time network
212s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
bunker inquiry_mv setaii.exe
Resource
win7-en-20211208
General
-
Target
bunker inquiry_mv setaii.exe
-
Size
248KB
-
MD5
242a7a023efff4ca0bc7abdd3171feb8
-
SHA1
c33c534361745d93a30f0e5a86c87e38fc170210
-
SHA256
39cc0c369b8ce6f0570864f4ac0019abed40383a582aae1a13c34e2de08a7168
-
SHA512
e6f0157ef9c92270e45ecab19ee34c7d85d5104e621234efb9f386d3bc1a5afcd0d14a67882d3937d01d565ddc0c782a43ccecb0f99c84246c51653c4a801521
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3100-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3100-123-0x00000000004B0000-0x000000000055E000-memory.dmp xloader behavioral2/memory/2212-126-0x0000000002570000-0x0000000002599000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
bunker inquiry_mv setaii.exepid process 3936 bunker inquiry_mv setaii.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bunker inquiry_mv setaii.exebunker inquiry_mv setaii.execmmon32.exedescription pid process target process PID 3936 set thread context of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3100 set thread context of 3056 3100 bunker inquiry_mv setaii.exe Explorer.EXE PID 2212 set thread context of 3056 2212 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
bunker inquiry_mv setaii.execmmon32.exepid process 3100 bunker inquiry_mv setaii.exe 3100 bunker inquiry_mv setaii.exe 3100 bunker inquiry_mv setaii.exe 3100 bunker inquiry_mv setaii.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe 2212 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bunker inquiry_mv setaii.execmmon32.exepid process 3100 bunker inquiry_mv setaii.exe 3100 bunker inquiry_mv setaii.exe 3100 bunker inquiry_mv setaii.exe 2212 cmmon32.exe 2212 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bunker inquiry_mv setaii.execmmon32.exedescription pid process Token: SeDebugPrivilege 3100 bunker inquiry_mv setaii.exe Token: SeDebugPrivilege 2212 cmmon32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bunker inquiry_mv setaii.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3936 wrote to memory of 3100 3936 bunker inquiry_mv setaii.exe bunker inquiry_mv setaii.exe PID 3056 wrote to memory of 2212 3056 Explorer.EXE cmmon32.exe PID 3056 wrote to memory of 2212 3056 Explorer.EXE cmmon32.exe PID 3056 wrote to memory of 2212 3056 Explorer.EXE cmmon32.exe PID 2212 wrote to memory of 1192 2212 cmmon32.exe cmd.exe PID 2212 wrote to memory of 1192 2212 cmmon32.exe cmd.exe PID 2212 wrote to memory of 1192 2212 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_mv setaii.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy3BD9.tmp\neicq.dllMD5
d50697c3b81e293127bf711efcf173b9
SHA1e9e6bdf7323c768cd451e9bfb0d87d739e2acfd7
SHA256401b59eaf0a0b4adc9549e0bf341ebfad51c281cdd9c9f0a08bc2c561ca246a1
SHA512f7f28c966d16acc2a8a4959a81a5b564e160d3c678b05de78206482b7d27bc52b170c38228a33fb28b8238ec83733ab15f8828da9b1af9409ca7ff800cd0ffb0
-
memory/2212-125-0x0000000000300000-0x000000000030C000-memory.dmpFilesize
48KB
-
memory/2212-126-0x0000000002570000-0x0000000002599000-memory.dmpFilesize
164KB
-
memory/2212-127-0x0000000004500000-0x0000000004820000-memory.dmpFilesize
3.1MB
-
memory/2212-128-0x0000000004360000-0x00000000044F6000-memory.dmpFilesize
1.6MB
-
memory/3056-124-0x0000000005790000-0x00000000058D4000-memory.dmpFilesize
1.3MB
-
memory/3056-129-0x0000000005C90000-0x0000000005DD5000-memory.dmpFilesize
1.3MB
-
memory/3100-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3100-122-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB
-
memory/3100-123-0x00000000004B0000-0x000000000055E000-memory.dmpFilesize
696KB
-
memory/3936-120-0x0000000002450000-0x0000000002474000-memory.dmpFilesize
144KB