Analysis
-
max time kernel
148s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
worked.exe
Resource
win7v20201028
General
-
Target
worked.exe
-
Size
776KB
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
Malware Config
Extracted
formbook
http://www.maalkhairaatwosu.com/zn7/
xaozal.com
yanafarms.com
domennyarendi64.net
bumiflogrance.com
cre8tivspace.com
s3video.com
eshelwoodwork.com
centaurme.com
novarticle.com
jbastavi.com
hueandboldcreative.com
phraeudom.com
bright.discount
brandonandrana.com
budundergisi.xyz
wedochin.com
cryptowaveride.com
dunnwrightconst.com
hakador.net
costcostock.com
journeysenterprises.com
tuhocnet.com
yourfitential.com
kingomauctions.com
goodiscs.com
wzqp7.com
alamolog.com
primerpuntoferretero.com
sharonrebucas.com
redtentmotorhomes.com
searko.com
gildcash.com
campsensation.com
myfreeinvitation.com
esuenud.com
yourbeachholiday.com
myvisscard.com
wasalnygroup.com
mvuraskin.com
crystalwiththecrystalz.com
pincmd.com
sgh.plus
arkediem.com
24hrsby7.com
andreygrizenko.online
liveincrestline.com
wearecdi.com
imagestexas.com
tranz4mations.com
helixcoffeehouse.com
investmentresourcesaz.com
a-miin.com
marisadelucia.com
minileprix.com
salesfunnelfairy.net
necroticpowerful.xyz
devarista.tech
peterbreuer.com
greenlandbuilders.com
davidgaleano.com
redfalken.com
idiocy.online
noahbrewer.net
alkhaleejnews.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/568-10-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/568-11-0x000000000041EAE0-mapping.dmp formbook behavioral1/memory/1480-19-0x00000000000C0000-0x00000000000EE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 968 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
worked.exeworked.exewininit.exedescription pid process target process PID 1740 set thread context of 568 1740 worked.exe worked.exe PID 568 set thread context of 1268 568 worked.exe Explorer.EXE PID 1480 set thread context of 1268 1480 wininit.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
worked.exewininit.exepid process 568 worked.exe 568 worked.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe 1480 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
worked.exewininit.exepid process 568 worked.exe 568 worked.exe 568 worked.exe 1480 wininit.exe 1480 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
worked.exewininit.exedescription pid process Token: SeDebugPrivilege 568 worked.exe Token: SeDebugPrivilege 1480 wininit.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
worked.exeExplorer.EXEwininit.exedescription pid process target process PID 1740 wrote to memory of 396 1740 worked.exe schtasks.exe PID 1740 wrote to memory of 396 1740 worked.exe schtasks.exe PID 1740 wrote to memory of 396 1740 worked.exe schtasks.exe PID 1740 wrote to memory of 396 1740 worked.exe schtasks.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1740 wrote to memory of 568 1740 worked.exe worked.exe PID 1268 wrote to memory of 1480 1268 Explorer.EXE wininit.exe PID 1268 wrote to memory of 1480 1268 Explorer.EXE wininit.exe PID 1268 wrote to memory of 1480 1268 Explorer.EXE wininit.exe PID 1268 wrote to memory of 1480 1268 Explorer.EXE wininit.exe PID 1480 wrote to memory of 968 1480 wininit.exe cmd.exe PID 1480 wrote to memory of 968 1480 wininit.exe cmd.exe PID 1480 wrote to memory of 968 1480 wininit.exe cmd.exe PID 1480 wrote to memory of 968 1480 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZrPLNaWRaF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmpMD5
62d40d943dc0ae5f55a7c223219f2fab
SHA1f9139dd72b3b2546ba8324f230bb43d077b9d0be
SHA256f11d55745b41351cb6a74f5629a6108f94394bb438e926c5af63e58734b87522
SHA512fac0d9a2061d16da97fe81f650228ceba7e69886b4ffe3f5fccada076baf39c5f8fef54fd47eb9531eee88c274dbb9c946accd0f334107d967fa8e052b149bb3
-
memory/396-8-0x0000000000000000-mapping.dmp
-
memory/568-11-0x000000000041EAE0-mapping.dmp
-
memory/568-14-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/568-13-0x0000000000A30000-0x0000000000D33000-memory.dmpFilesize
3.0MB
-
memory/568-10-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/968-17-0x0000000000000000-mapping.dmp
-
memory/1268-15-0x0000000006290000-0x00000000063AA000-memory.dmpFilesize
1.1MB
-
memory/1480-16-0x0000000000000000-mapping.dmp
-
memory/1480-18-0x0000000000DC0000-0x0000000000DDA000-memory.dmpFilesize
104KB
-
memory/1480-19-0x00000000000C0000-0x00000000000EE000-memory.dmpFilesize
184KB
-
memory/1480-20-0x0000000000A70000-0x0000000000D73000-memory.dmpFilesize
3.0MB
-
memory/1480-21-0x0000000000980000-0x0000000000A13000-memory.dmpFilesize
588KB
-
memory/1740-7-0x00000000073B0000-0x0000000007416000-memory.dmpFilesize
408KB
-
memory/1740-6-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/1740-5-0x0000000000580000-0x00000000005A3000-memory.dmpFilesize
140KB
-
memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1740-3-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB