Analysis
-
max time kernel
254s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
VSL_BUNKER INQ(009-010).exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
VSL_BUNKER INQ(009-010).exe
Resource
win10v2004-20221111-en
General
-
Target
VSL_BUNKER INQ(009-010).exe
-
Size
724KB
-
MD5
a4cb79737cd6958c38b7bba6e414d795
-
SHA1
688d24bcf41841ad8d7b9b1b90ec6c5c20dae498
-
SHA256
b93895bf25b4802252c954577edfceb1ec4288270bbd04a5aa6226f7c974774a
-
SHA512
0a7fd76c1ae2b8ca0974f0589cb1da4a1b8cbcd55d2f84cbd8f59f9f68ab4153b53d1d6394a9d80965c2a27ace3138bf237279be34704308a0315c1ba324b10b
-
SSDEEP
12288:Vx8sg+dhSpDh1rAKm4xUXXTXjfRCbYiLMTPcu3d6lM/:AkdU5z+JXTTfRGC3
Malware Config
Extracted
formbook
u2t4
is0/Kr2pwzJzsQ==
Br+Y1UJXBRwi
3xyPgizUdKz09BsETkl8og==
ze1TAoMAaDPX/7U=
UVOHbw2GAq+PuIWSsQ==
OFq93KpeAiRsF44pjf8c
UjleSFYu2ROPbM8guwc/3jgL5FIc2g==
ow7s/hPgGLjvqwpJxQRltDRE
3OpfZ+axwzJzsQ==
pL9MWhCRBLWPkHMroyxnEnVM
EkLh+4L0Zn/kqj3SzhKGlog=
7WFAPUAKqMzaOaf3h/0jUEsP5FIc2g==
Npp5j75QZShZGHHS0xKGlog=
TzqeenZDdYzTtA==
YZgC6XhkQ/MxdomLwxKGlog=
gZsaHLeQT/1Yl4FYhfAKLV/kkbg=
6jTksbcyDbLMEbkU
RlKKaAnhnksyMwR/mB9umKUWjocoa24=
oDtW4wgWu8cPx93u0AqTK2A7QzRM
JyJyIEb6tH/4mdvroC9pDnIi5FIc2g==
rpcnsB0attg=
L6ZgGyzPvzqOuw==
kaTSWyMkNxdprA==
RRg2SHb71oHCgyhSW+M=
/eLZzdHk2nTEl3KkT9gU
a0JE4nD6hbwGCicFTkl8og==
axYgwUXNm3jeBrc=
H5tKHyP3TFiTCDn8Tkl8og==
OUN5YAjiBx6kk6Cjsw==
RmQa5gKoufA7whLyTkl8og==
gNM2F7colZ/+GMs27DNR2jPf/yFG
Tgr1k0cYUgQ7NP5pFlm1+WJd
p26VU8CiZhmkk6Cjsw==
dzhYEZKIn/vR36w=
KqqRkHgVNoGaK9Ac
FwBbWuCmyew+uIWSsQ==
YuaWcoBIkCxMadQe
rPiRoTwJJE7MEbkU
3qicQvq1Oei9iSWYlBxltDRE
0KGchIn6Lw1vrA==
NiBQLc9KxXRVc5p6dqzJ2Bftr7s=
c9SNPVy5Gs27z/C1drvTSgmaJDxR
7HZADkQGI07MEbkU
KfAG3V41CA5+VrMHsAVltDRE
Aa6hkYlMgh8NlOIpjf8c
u/BhAjT3w3KsESxvhfo=
jqD0xWEQO+5PGaBNjM0F
Loh5g58O4uicscO5uQ==
Z5AhAyegmEgUnUy0aPNltDRE
RYIm3+mHeDIph/A4xFyGk2wN5FIc2g==
pfyYp0In+6rsNh/1Tkl8og==
oUdcEplGjkeJNp0pjf8c
DNT50Hw5cCBwNpHWZJGvT5o7QzRM
gERvZwdtzo6LuIWSsQ==
hD5H6YMisG1FFxxdXvkL
ucMLy18YuOddeR5yddj5Ig3EXLUCymY=
WS5E+6FZqh1Byx4c
Sz6EI2vnWnnxIehWackLiAkM5QjpsMJA
2gKHeQl6xF5NZD25xxKGlog=
Li/5+iDztmY1
dLZUFS7nBSho4Ckprilc7EsP5FIc2g==
/OI49XkPmbS7HI8pjf8c
mjYNLsY9lzIaKyhSW+M=
0pbke8L7wzJzsQ==
michellegobbi.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VSL_BUNKER INQ(009-010).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation VSL_BUNKER INQ(009-010).exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
VSL_BUNKER INQ(009-010).exeVSL_BUNKER INQ(009-010).exedescription pid process target process PID 556 set thread context of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 864 set thread context of 1272 864 VSL_BUNKER INQ(009-010).exe Explorer.EXE PID 864 set thread context of 1272 864 VSL_BUNKER INQ(009-010).exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
VSL_BUNKER INQ(009-010).exepid process 864 VSL_BUNKER INQ(009-010).exe 864 VSL_BUNKER INQ(009-010).exe 864 VSL_BUNKER INQ(009-010).exe 864 VSL_BUNKER INQ(009-010).exe 864 VSL_BUNKER INQ(009-010).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
VSL_BUNKER INQ(009-010).exepid process 864 VSL_BUNKER INQ(009-010).exe 864 VSL_BUNKER INQ(009-010).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
VSL_BUNKER INQ(009-010).exedescription pid process Token: SeDebugPrivilege 864 VSL_BUNKER INQ(009-010).exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
VSL_BUNKER INQ(009-010).exeExplorer.EXEdescription pid process target process PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 556 wrote to memory of 864 556 VSL_BUNKER INQ(009-010).exe VSL_BUNKER INQ(009-010).exe PID 1272 wrote to memory of 848 1272 Explorer.EXE svchost.exe PID 1272 wrote to memory of 848 1272 Explorer.EXE svchost.exe PID 1272 wrote to memory of 848 1272 Explorer.EXE svchost.exe PID 1272 wrote to memory of 848 1272 Explorer.EXE svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\VSL_BUNKER INQ(009-010).exe"C:\Users\Admin\AppData\Local\Temp\VSL_BUNKER INQ(009-010).exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\VSL_BUNKER INQ(009-010).exe"C:\Users\Admin\AppData\Local\Temp\VSL_BUNKER INQ(009-010).exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵PID:848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-54-0x0000000001280000-0x000000000133A000-memory.dmpFilesize
744KB
-
memory/556-55-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/556-56-0x00000000009E0000-0x00000000009F8000-memory.dmpFilesize
96KB
-
memory/556-57-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/556-58-0x0000000007D60000-0x0000000007DD0000-memory.dmpFilesize
448KB
-
memory/556-59-0x0000000000DF0000-0x0000000000E26000-memory.dmpFilesize
216KB
-
memory/864-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-71-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/864-64-0x00000000004012B0-mapping.dmp
-
memory/864-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-68-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/864-69-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/864-70-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/864-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-78-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/864-74-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/864-75-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/864-77-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1272-76-0x0000000006EC0000-0x0000000006FEE000-memory.dmpFilesize
1.2MB
-
memory/1272-72-0x0000000004980000-0x0000000004A43000-memory.dmpFilesize
780KB
-
memory/1272-79-0x0000000006EC0000-0x0000000006FEE000-memory.dmpFilesize
1.2MB