Analysis
-
max time kernel
147s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 15:37
Static task
static1
Behavioral task
behavioral1
Sample
worked.exe
Resource
win7v20201028
General
-
Target
worked.exe
-
Size
776KB
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
Malware Config
Extracted
formbook
http://www.maalkhairaatwosu.com/zn7/
xaozal.com
yanafarms.com
domennyarendi64.net
bumiflogrance.com
cre8tivspace.com
s3video.com
eshelwoodwork.com
centaurme.com
novarticle.com
jbastavi.com
hueandboldcreative.com
phraeudom.com
bright.discount
brandonandrana.com
budundergisi.xyz
wedochin.com
cryptowaveride.com
dunnwrightconst.com
hakador.net
costcostock.com
journeysenterprises.com
tuhocnet.com
yourfitential.com
kingomauctions.com
goodiscs.com
wzqp7.com
alamolog.com
primerpuntoferretero.com
sharonrebucas.com
redtentmotorhomes.com
searko.com
gildcash.com
campsensation.com
myfreeinvitation.com
esuenud.com
yourbeachholiday.com
myvisscard.com
wasalnygroup.com
mvuraskin.com
crystalwiththecrystalz.com
pincmd.com
sgh.plus
arkediem.com
24hrsby7.com
andreygrizenko.online
liveincrestline.com
wearecdi.com
imagestexas.com
tranz4mations.com
helixcoffeehouse.com
investmentresourcesaz.com
a-miin.com
marisadelucia.com
minileprix.com
salesfunnelfairy.net
necroticpowerful.xyz
devarista.tech
peterbreuer.com
greenlandbuilders.com
davidgaleano.com
redfalken.com
idiocy.online
noahbrewer.net
alkhaleejnews.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/580-10-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/580-11-0x000000000041EAE0-mapping.dmp formbook behavioral1/memory/368-20-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1168 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
worked.exeworked.exemsiexec.exedescription pid process target process PID 1632 set thread context of 580 1632 worked.exe worked.exe PID 580 set thread context of 1272 580 worked.exe Explorer.EXE PID 368 set thread context of 1272 368 msiexec.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
worked.exemsiexec.exepid process 580 worked.exe 580 worked.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe 368 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
worked.exemsiexec.exepid process 580 worked.exe 580 worked.exe 580 worked.exe 368 msiexec.exe 368 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
worked.exeworked.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1632 worked.exe Token: SeDebugPrivilege 580 worked.exe Token: SeDebugPrivilege 368 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
worked.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1632 wrote to memory of 1780 1632 worked.exe schtasks.exe PID 1632 wrote to memory of 1780 1632 worked.exe schtasks.exe PID 1632 wrote to memory of 1780 1632 worked.exe schtasks.exe PID 1632 wrote to memory of 1780 1632 worked.exe schtasks.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1632 wrote to memory of 580 1632 worked.exe worked.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 1272 wrote to memory of 368 1272 Explorer.EXE msiexec.exe PID 368 wrote to memory of 1168 368 msiexec.exe cmd.exe PID 368 wrote to memory of 1168 368 msiexec.exe cmd.exe PID 368 wrote to memory of 1168 368 msiexec.exe cmd.exe PID 368 wrote to memory of 1168 368 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZrPLNaWRaF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF8D0.tmpMD5
62d40d943dc0ae5f55a7c223219f2fab
SHA1f9139dd72b3b2546ba8324f230bb43d077b9d0be
SHA256f11d55745b41351cb6a74f5629a6108f94394bb438e926c5af63e58734b87522
SHA512fac0d9a2061d16da97fe81f650228ceba7e69886b4ffe3f5fccada076baf39c5f8fef54fd47eb9531eee88c274dbb9c946accd0f334107d967fa8e052b149bb3
-
memory/368-16-0x0000000000000000-mapping.dmp
-
memory/368-22-0x0000000000B00000-0x0000000000B93000-memory.dmpFilesize
588KB
-
memory/368-21-0x0000000002480000-0x0000000002783000-memory.dmpFilesize
3.0MB
-
memory/368-20-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/368-19-0x0000000000ED0000-0x0000000000EE4000-memory.dmpFilesize
80KB
-
memory/368-17-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/580-11-0x000000000041EAE0-mapping.dmp
-
memory/580-13-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/580-14-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/580-10-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1168-18-0x0000000000000000-mapping.dmp
-
memory/1272-15-0x0000000005020000-0x00000000050F6000-memory.dmpFilesize
856KB
-
memory/1632-2-0x00000000745C0000-0x0000000074CAE000-memory.dmpFilesize
6.9MB
-
memory/1632-7-0x00000000075D0000-0x0000000007636000-memory.dmpFilesize
408KB
-
memory/1632-6-0x0000000004110000-0x0000000004111000-memory.dmpFilesize
4KB
-
memory/1632-5-0x0000000000540000-0x0000000000563000-memory.dmpFilesize
140KB
-
memory/1632-3-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1780-8-0x0000000000000000-mapping.dmp