Overview

overview

10

Static

static

worked.exe

windows7_x64

10

worked.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-01-2021 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    worked.exe

  • Size

    776KB

  • MD5

    a8417cfd71637c7371986737cff269cf

  • SHA1

    62764e915771688218d9e93d139a85f8d983e2b8

  • SHA256

    ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664

  • SHA512

    35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181

Score
10/10
formbookransomwareratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.maalkhairaatwosu.com/zn7/

Decoy

xaozal.com

yanafarms.com

domennyarendi64.net

bumiflogrance.com

cre8tivspace.com

s3video.com

eshelwoodwork.com

centaurme.com

novarticle.com

jbastavi.com

hueandboldcreative.com

phraeudom.com

bright.discount

brandonandrana.com

budundergisi.xyz

wedochin.com

cryptowaveride.com

dunnwrightconst.com

hakador.net

costcostock.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\worked.exe
      "C:\Users\Admin\AppData\Local\Temp\worked.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZrPLNaWRaF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1780
      • C:\Users\Admin\AppData\Local\Temp\worked.exe
        "C:\Users\Admin\AppData\Local\Temp\worked.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:580
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\worked.exe"
        3⤵
        • Deletes itself
        PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp
    MD5

    62d40d943dc0ae5f55a7c223219f2fab

    SHA1

    f9139dd72b3b2546ba8324f230bb43d077b9d0be

    SHA256

    f11d55745b41351cb6a74f5629a6108f94394bb438e926c5af63e58734b87522

    SHA512

    fac0d9a2061d16da97fe81f650228ceba7e69886b4ffe3f5fccada076baf39c5f8fef54fd47eb9531eee88c274dbb9c946accd0f334107d967fa8e052b149bb3

    Download Submit
  • memory/368-16-0x0000000000000000-mapping.dmp
    Download
  • memory/368-22-0x0000000000B00000-0x0000000000B93000-memory.dmp
    Filesize

    588KB

    Download
  • memory/368-21-0x0000000002480000-0x0000000002783000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/368-20-0x0000000000090000-0x00000000000BE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/368-19-0x0000000000ED0000-0x0000000000EE4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/368-17-0x0000000076341000-0x0000000076343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/580-11-0x000000000041EAE0-mapping.dmp
    Download
  • memory/580-13-0x00000000008F0000-0x0000000000BF3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/580-14-0x0000000000350000-0x0000000000364000-memory.dmp
    Filesize

    80KB

    Download
  • memory/580-10-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1168-18-0x0000000000000000-mapping.dmp
    Download
  • memory/1272-15-0x0000000005020000-0x00000000050F6000-memory.dmp
    Filesize

    856KB

    Download
  • memory/1632-2-0x00000000745C0000-0x0000000074CAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1632-7-0x00000000075D0000-0x0000000007636000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1632-6-0x0000000004110000-0x0000000004111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-5-0x0000000000540000-0x0000000000563000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1632-3-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-8-0x0000000000000000-mapping.dmp
    Download