BERN210819pdf.iso

General
Target

BERN210819,pdf.exe

Filesize

616KB

Completed

24-09-2021 10:44

Score
10 /10
MD5

4e84e3537287ca732e9faae1ffa27c19

SHA1

1a467e5038acc974d00cabcef9ecf068f12d0e37

SHA256

88f0241ee02cce35f746e793e2c00fd9f7527e12493361d402d5dc0c770c2723

Malware Config

Extracted

Family xloader
Version 2.5
Campaign dhua
C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

ventureagora.net

ditrixmed.store

gitlab-tamskillpage.com

samgravikasnidhi.com

lenti4you.com

reviewallstarscommerce.com

nissimarble.com

md2px.xyz

tristarelectronics.net

you11.net

vaccinationfraud.xyz

bu3helo.com

marcellcheckpoint.com

hassinkandroos.com

socw.quest

screenedscooptoknow-today.info

aciburada.com

edimacare.com

smokenation.net

elga-groupinc.com

26dgj.xyz

chandleenews.com

sugarcanemultisport.com

nichellejonesrealtor.com

architektschnur.com

atehgroup.com

ocoeeboys.com

zanesells.com

878971.com

infringement-notice.com

Signatures 22

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/788-115-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral2/memory/788-116-0x000000000041D4E0-mapping.dmpxloader
    behavioral2/memory/60-122-0x0000000000650000-0x0000000000679000-memory.dmpxloader
    behavioral2/memory/636-133-0x000000000041D4E0-mapping.dmpxloader
  • Executes dropped EXE
    pxfxv4bth.exepxfxv4bth.exe

    Reported IOCs

    pidprocess
    3976pxfxv4bth.exe
    636pxfxv4bth.exe
  • Loads dropped DLL
    BERN210819,pdf.exepxfxv4bth.exe

    Reported IOCs

    pidprocess
    628BERN210819,pdf.exe
    3976pxfxv4bth.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    rundll32.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runrundll32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\S8QLWHE0PJ = "C:\\Program Files (x86)\\Tdxmtib8\\pxfxv4bth.exe"rundll32.exe
  • Suspicious use of SetThreadContext
    BERN210819,pdf.exeBERN210819,pdf.exerundll32.exepxfxv4bth.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 628 set thread context of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 788 set thread context of 2996788BERN210819,pdf.exeExplorer.EXE
    PID 60 set thread context of 299660rundll32.exeExplorer.EXE
    PID 3976 set thread context of 6363976pxfxv4bth.exepxfxv4bth.exe
  • Drops file in Program Files directory
    rundll32.exeExplorer.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exerundll32.exe
    File opened for modificationC:\Program Files (x86)\Tdxmtib8Explorer.EXE
    File createdC:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exeExplorer.EXE
    File opened for modificationC:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab4c-128.datnsis_installer_1
    behavioral2/files/0x000100000001ab4c-128.datnsis_installer_2
    behavioral2/files/0x000100000001ab4c-129.datnsis_installer_1
    behavioral2/files/0x000100000001ab4c-129.datnsis_installer_2
    behavioral2/files/0x000100000001ab4c-134.datnsis_installer_1
    behavioral2/files/0x000100000001ab4c-134.datnsis_installer_2
  • Modifies Internet Explorer settings
    rundll32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2rundll32.exe
  • Modifies registry class
    Explorer.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceExplorer.EXE
    Key created\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    BERN210819,pdf.exerundll32.exepxfxv4bth.exe

    Reported IOCs

    pidprocess
    788BERN210819,pdf.exe
    788BERN210819,pdf.exe
    788BERN210819,pdf.exe
    788BERN210819,pdf.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    636pxfxv4bth.exe
    636pxfxv4bth.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    2996Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    BERN210819,pdf.exerundll32.exe

    Reported IOCs

    pidprocess
    788BERN210819,pdf.exe
    788BERN210819,pdf.exe
    788BERN210819,pdf.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
    60rundll32.exe
  • Suspicious use of AdjustPrivilegeToken
    BERN210819,pdf.exerundll32.exeExplorer.EXEpxfxv4bth.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege788BERN210819,pdf.exe
    Token: SeDebugPrivilege60rundll32.exe
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeShutdownPrivilege2996Explorer.EXE
    Token: SeCreatePagefilePrivilege2996Explorer.EXE
    Token: SeDebugPrivilege636pxfxv4bth.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
    2996Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    2996Explorer.EXE
    2996Explorer.EXE
  • Suspicious use of WriteProcessMemory
    BERN210819,pdf.exeExplorer.EXErundll32.exepxfxv4bth.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 628 wrote to memory of 788628BERN210819,pdf.exeBERN210819,pdf.exe
    PID 2996 wrote to memory of 602996Explorer.EXErundll32.exe
    PID 2996 wrote to memory of 602996Explorer.EXErundll32.exe
    PID 2996 wrote to memory of 602996Explorer.EXErundll32.exe
    PID 60 wrote to memory of 39660rundll32.execmd.exe
    PID 60 wrote to memory of 39660rundll32.execmd.exe
    PID 60 wrote to memory of 39660rundll32.execmd.exe
    PID 2996 wrote to memory of 39762996Explorer.EXEpxfxv4bth.exe
    PID 2996 wrote to memory of 39762996Explorer.EXEpxfxv4bth.exe
    PID 2996 wrote to memory of 39762996Explorer.EXEpxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 3976 wrote to memory of 6363976pxfxv4bth.exepxfxv4bth.exe
    PID 60 wrote to memory of 6460rundll32.exeFirefox.exe
    PID 60 wrote to memory of 6460rundll32.exeFirefox.exe
    PID 60 wrote to memory of 6460rundll32.exeFirefox.exe
Processes 9
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Drops file in Program Files directory
    Modifies registry class
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\BERN210819,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\BERN210819,pdf.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:628
      • C:\Users\Admin\AppData\Local\Temp\BERN210819,pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\BERN210819,pdf.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:788
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:984
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\BERN210819,pdf.exe"
        PID:396
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:64
    • C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe
      "C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe
        "C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:636
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe

                  MD5

                  4e84e3537287ca732e9faae1ffa27c19

                  SHA1

                  1a467e5038acc974d00cabcef9ecf068f12d0e37

                  SHA256

                  88f0241ee02cce35f746e793e2c00fd9f7527e12493361d402d5dc0c770c2723

                  SHA512

                  aeec388a9b36b58c2453847c8d0ce43934b3e05f72b4addc15b0bcb40078a2c0f3b6fe4b3e30460e3d7fcb6c917d9aeb350ed767500052d35df1887958189f9a

                • C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe

                  MD5

                  4e84e3537287ca732e9faae1ffa27c19

                  SHA1

                  1a467e5038acc974d00cabcef9ecf068f12d0e37

                  SHA256

                  88f0241ee02cce35f746e793e2c00fd9f7527e12493361d402d5dc0c770c2723

                  SHA512

                  aeec388a9b36b58c2453847c8d0ce43934b3e05f72b4addc15b0bcb40078a2c0f3b6fe4b3e30460e3d7fcb6c917d9aeb350ed767500052d35df1887958189f9a

                • C:\Program Files (x86)\Tdxmtib8\pxfxv4bth.exe

                  MD5

                  4e84e3537287ca732e9faae1ffa27c19

                  SHA1

                  1a467e5038acc974d00cabcef9ecf068f12d0e37

                  SHA256

                  88f0241ee02cce35f746e793e2c00fd9f7527e12493361d402d5dc0c770c2723

                  SHA512

                  aeec388a9b36b58c2453847c8d0ce43934b3e05f72b4addc15b0bcb40078a2c0f3b6fe4b3e30460e3d7fcb6c917d9aeb350ed767500052d35df1887958189f9a

                • C:\Users\Admin\AppData\Local\Temp\ajea5nnmptz6

                  MD5

                  6d24d4bbf45bd0c7a82076b218631c79

                  SHA1

                  bf3c2b2e48e7c3c23cb615f1510eab1fcad82a1e

                  SHA256

                  2cb950dbe1722ad592c4e1f73d5e7427bde243f0c999a14fb21c0d2caf861309

                  SHA512

                  cc74826743f9fefb1d850d80ad2ae057d6857c69f906bf86dc5b1566e91748fea53fb438469d2ccc8c9713d12b89c84555a11109952ae3689c00e0352be20216

                • \Users\Admin\AppData\Local\Temp\nsb8D48.tmp\ybgawykltm.dll

                  MD5

                  7eb7bb72d35d47ce100611a5d9070bad

                  SHA1

                  57932df2c7e6de5c2bf8f6d3aa11f830ff4840f5

                  SHA256

                  73f5b73a7b02ab04cc15e4bd074ce4d38fa4ed77354f1a5937bd73bd5f48fb97

                  SHA512

                  2ced82575e24c2eac3c7b079ecafc1ff1880df5594671a4ab76b0c447af487eaaa9675d911cf9e7001e11356556e6af2b15f03a2001d5a2dd5e0e40b5f40b10d

                • \Users\Admin\AppData\Local\Temp\nsz9E26.tmp\ybgawykltm.dll

                  MD5

                  7eb7bb72d35d47ce100611a5d9070bad

                  SHA1

                  57932df2c7e6de5c2bf8f6d3aa11f830ff4840f5

                  SHA256

                  73f5b73a7b02ab04cc15e4bd074ce4d38fa4ed77354f1a5937bd73bd5f48fb97

                  SHA512

                  2ced82575e24c2eac3c7b079ecafc1ff1880df5594671a4ab76b0c447af487eaaa9675d911cf9e7001e11356556e6af2b15f03a2001d5a2dd5e0e40b5f40b10d

                • memory/60-120-0x0000000000000000-mapping.dmp

                • memory/60-121-0x00000000008D0000-0x00000000008E3000-memory.dmp

                • memory/60-122-0x0000000000650000-0x0000000000679000-memory.dmp

                • memory/60-123-0x00000000044A0000-0x00000000047C0000-memory.dmp

                • memory/60-125-0x00000000043A0000-0x0000000004430000-memory.dmp

                • memory/64-137-0x00007FF645F20000-0x00007FF645FB3000-memory.dmp

                • memory/64-136-0x0000000000000000-mapping.dmp

                • memory/64-138-0x000001BE54240000-0x000001BE54346000-memory.dmp

                • memory/396-124-0x0000000000000000-mapping.dmp

                • memory/636-135-0x0000000000980000-0x0000000000CA0000-memory.dmp

                • memory/636-133-0x000000000041D4E0-mapping.dmp

                • memory/788-115-0x0000000000400000-0x0000000000429000-memory.dmp

                • memory/788-117-0x0000000000A40000-0x0000000000D60000-memory.dmp

                • memory/788-118-0x0000000000600000-0x0000000000611000-memory.dmp

                • memory/788-116-0x000000000041D4E0-mapping.dmp

                • memory/2996-119-0x00000000053F0000-0x0000000005595000-memory.dmp

                • memory/2996-126-0x0000000002E90000-0x0000000002F89000-memory.dmp

                • memory/3976-127-0x0000000000000000-mapping.dmp