Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 15:37
Static task
static1
Behavioral task
behavioral1
Sample
worked.exe
Resource
win7v20201028
General
-
Target
worked.exe
-
Size
776KB
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
Malware Config
Extracted
formbook
http://www.maalkhairaatwosu.com/zn7/
xaozal.com
yanafarms.com
domennyarendi64.net
bumiflogrance.com
cre8tivspace.com
s3video.com
eshelwoodwork.com
centaurme.com
novarticle.com
jbastavi.com
hueandboldcreative.com
phraeudom.com
bright.discount
brandonandrana.com
budundergisi.xyz
wedochin.com
cryptowaveride.com
dunnwrightconst.com
hakador.net
costcostock.com
journeysenterprises.com
tuhocnet.com
yourfitential.com
kingomauctions.com
goodiscs.com
wzqp7.com
alamolog.com
primerpuntoferretero.com
sharonrebucas.com
redtentmotorhomes.com
searko.com
gildcash.com
campsensation.com
myfreeinvitation.com
esuenud.com
yourbeachholiday.com
myvisscard.com
wasalnygroup.com
mvuraskin.com
crystalwiththecrystalz.com
pincmd.com
sgh.plus
arkediem.com
24hrsby7.com
andreygrizenko.online
liveincrestline.com
wearecdi.com
imagestexas.com
tranz4mations.com
helixcoffeehouse.com
investmentresourcesaz.com
a-miin.com
marisadelucia.com
minileprix.com
salesfunnelfairy.net
necroticpowerful.xyz
devarista.tech
peterbreuer.com
greenlandbuilders.com
davidgaleano.com
redfalken.com
idiocy.online
noahbrewer.net
alkhaleejnews.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3644-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3644-16-0x000000000041EAE0-mapping.dmp formbook behavioral2/memory/2272-24-0x0000000000430000-0x000000000045E000-memory.dmp formbook -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
worked.exeworked.execmstp.exedescription pid process target process PID 728 set thread context of 3644 728 worked.exe worked.exe PID 3644 set thread context of 2868 3644 worked.exe Explorer.EXE PID 2272 set thread context of 2868 2272 cmstp.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
worked.execmstp.exepid process 3644 worked.exe 3644 worked.exe 3644 worked.exe 3644 worked.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe 2272 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
worked.execmstp.exepid process 3644 worked.exe 3644 worked.exe 3644 worked.exe 2272 cmstp.exe 2272 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
worked.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 3644 worked.exe Token: SeShutdownPrivilege 2868 Explorer.EXE Token: SeCreatePagefilePrivilege 2868 Explorer.EXE Token: SeDebugPrivilege 2272 cmstp.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2868 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
worked.exeExplorer.EXEcmstp.exedescription pid process target process PID 728 wrote to memory of 3468 728 worked.exe schtasks.exe PID 728 wrote to memory of 3468 728 worked.exe schtasks.exe PID 728 wrote to memory of 3468 728 worked.exe schtasks.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 728 wrote to memory of 3644 728 worked.exe worked.exe PID 2868 wrote to memory of 2272 2868 Explorer.EXE cmstp.exe PID 2868 wrote to memory of 2272 2868 Explorer.EXE cmstp.exe PID 2868 wrote to memory of 2272 2868 Explorer.EXE cmstp.exe PID 2272 wrote to memory of 1632 2272 cmstp.exe cmd.exe PID 2272 wrote to memory of 1632 2272 cmstp.exe cmd.exe PID 2272 wrote to memory of 1632 2272 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZrPLNaWRaF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp688E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp688E.tmpMD5
e8b55c40a55ae41e892c7f92c6d76ad1
SHA13c599446287e60195dd1175b48124cba6b88fa64
SHA256da2c540c42ccbad5f8e7a77f42e85ee56d3c9da98f04bfdc5802c61fd14c7dd2
SHA51205d39576057512657e9a3576a585b4ad1800a6f4187c1c9381407eb8466d97044975a7e513082b35e05380821bb7f5d1c5cd4cb2ed91c761b379cbfeaf5d28a9
-
memory/728-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/728-3-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/728-5-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/728-6-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/728-7-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/728-8-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/728-9-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/728-10-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/728-11-0x0000000007A60000-0x0000000007A83000-memory.dmpFilesize
140KB
-
memory/728-12-0x00000000085D0000-0x0000000008636000-memory.dmpFilesize
408KB
-
memory/1632-25-0x0000000000000000-mapping.dmp
-
memory/2272-23-0x0000000001040000-0x0000000001056000-memory.dmpFilesize
88KB
-
memory/2272-22-0x0000000000000000-mapping.dmp
-
memory/2272-24-0x0000000000430000-0x000000000045E000-memory.dmpFilesize
184KB
-
memory/2272-26-0x0000000004460000-0x0000000004780000-memory.dmpFilesize
3.1MB
-
memory/2272-27-0x0000000000E80000-0x0000000000F13000-memory.dmpFilesize
588KB
-
memory/2868-21-0x00000000045A0000-0x00000000046A1000-memory.dmpFilesize
1.0MB
-
memory/2868-28-0x0000000005E20000-0x0000000005F5D000-memory.dmpFilesize
1.2MB
-
memory/3468-13-0x0000000000000000-mapping.dmp
-
memory/3644-16-0x000000000041EAE0-mapping.dmp
-
memory/3644-19-0x00000000012D0000-0x00000000015F0000-memory.dmpFilesize
3.1MB
-
memory/3644-20-0x0000000000E70000-0x0000000000E84000-memory.dmpFilesize
80KB
-
memory/3644-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB