Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 17:51
Static task
static1
Behavioral task
behavioral1
Sample
BERN210819.exe
Resource
win7v20210408
General
-
Target
BERN210819.exe
-
Size
284KB
-
MD5
b0f2fa7defaf207ebf652f84d9fc52ed
-
SHA1
9edb65c5fc90b3221ce5d291e7809aa328b80976
-
SHA256
93400ffcff8607b9cb7642b7fe7f53d2e70e94bdf50f7aa8ca1696b28a93e80f
-
SHA512
100426d03e8893de86bca50b3152913d1e198d41b5b1b4a2baec1b45cac98d280f8d300fb5d2c83b651604b84afc2086a62a51a2121fa6048a5c809d9277c108
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
ventureagora.net
ditrixmed.store
gitlab-tamskillpage.com
samgravikasnidhi.com
lenti4you.com
reviewallstarscommerce.com
nissimarble.com
md2px.xyz
tristarelectronics.net
you11.net
vaccinationfraud.xyz
bu3helo.com
marcellcheckpoint.com
hassinkandroos.com
socw.quest
screenedscooptoknow-today.info
aciburada.com
edimacare.com
smokenation.net
elga-groupinc.com
26dgj.xyz
chandleenews.com
sugarcanemultisport.com
nichellejonesrealtor.com
architektschnur.com
atehgroup.com
ocoeeboys.com
zanesells.com
878971.com
infringement-notice.com
orzame.com
darlindough.com
bwpassionenterprise.com
switchress.com
willcowblog.online
rsyncpalace.com
ayderstudio.com
ascotintrenational.com
omeducationhelp.com
kimberleydawnwallace.com
thereisnooneway.com
marketobserve.com
sildenafilnrx.com
willowbaldwin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2596-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/2660-123-0x00000000027D0000-0x00000000027F9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
BERN210819.exepid process 2384 BERN210819.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
BERN210819.exeBERN210819.exesvchost.exedescription pid process target process PID 2384 set thread context of 2596 2384 BERN210819.exe BERN210819.exe PID 2596 set thread context of 1588 2596 BERN210819.exe Explorer.EXE PID 2660 set thread context of 1588 2660 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
BERN210819.exesvchost.exepid process 2596 BERN210819.exe 2596 BERN210819.exe 2596 BERN210819.exe 2596 BERN210819.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1588 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
BERN210819.exesvchost.exepid process 2596 BERN210819.exe 2596 BERN210819.exe 2596 BERN210819.exe 2660 svchost.exe 2660 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BERN210819.exesvchost.exedescription pid process Token: SeDebugPrivilege 2596 BERN210819.exe Token: SeDebugPrivilege 2660 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
BERN210819.exeExplorer.EXEsvchost.exedescription pid process target process PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 2384 wrote to memory of 2596 2384 BERN210819.exe BERN210819.exe PID 1588 wrote to memory of 2660 1588 Explorer.EXE svchost.exe PID 1588 wrote to memory of 2660 1588 Explorer.EXE svchost.exe PID 1588 wrote to memory of 2660 1588 Explorer.EXE svchost.exe PID 2660 wrote to memory of 2720 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2720 2660 svchost.exe cmd.exe PID 2660 wrote to memory of 2720 2660 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm8BAD.tmp\bzkahjp.dllMD5
2c04f5d982279cac9278682eb2d948d5
SHA18e632d91fe7645c3f093587d4200d7b6e0d1726a
SHA25641dca50a93e75e133a04b71bc3b274e68eff1e6355e0ccfd6b41388011144666
SHA512a3758e250ec220298f2abd7365906258579f37c47ee7f8bf88474e1213335ffa357f2a6d37e482df72e3b1a976435b868bb6e498625e9c0e7e289267e6c483f9
-
memory/1588-127-0x0000000006760000-0x00000000068E5000-memory.dmpFilesize
1.5MB
-
memory/1588-120-0x0000000004FF0000-0x0000000005191000-memory.dmpFilesize
1.6MB
-
memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2596-117-0x000000000041D4E0-mapping.dmp
-
memory/2596-119-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/2596-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/2660-121-0x0000000000000000-mapping.dmp
-
memory/2660-124-0x0000000003120000-0x0000000003440000-memory.dmpFilesize
3.1MB
-
memory/2660-122-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/2660-126-0x0000000002F90000-0x0000000003020000-memory.dmpFilesize
576KB
-
memory/2660-123-0x00000000027D0000-0x00000000027F9000-memory.dmpFilesize
164KB
-
memory/2720-125-0x0000000000000000-mapping.dmp