Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
worked.exe
Resource
win7v20201028
General
-
Target
worked.exe
-
Size
776KB
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
Malware Config
Extracted
formbook
http://www.maalkhairaatwosu.com/zn7/
xaozal.com
yanafarms.com
domennyarendi64.net
bumiflogrance.com
cre8tivspace.com
s3video.com
eshelwoodwork.com
centaurme.com
novarticle.com
jbastavi.com
hueandboldcreative.com
phraeudom.com
bright.discount
brandonandrana.com
budundergisi.xyz
wedochin.com
cryptowaveride.com
dunnwrightconst.com
hakador.net
costcostock.com
journeysenterprises.com
tuhocnet.com
yourfitential.com
kingomauctions.com
goodiscs.com
wzqp7.com
alamolog.com
primerpuntoferretero.com
sharonrebucas.com
redtentmotorhomes.com
searko.com
gildcash.com
campsensation.com
myfreeinvitation.com
esuenud.com
yourbeachholiday.com
myvisscard.com
wasalnygroup.com
mvuraskin.com
crystalwiththecrystalz.com
pincmd.com
sgh.plus
arkediem.com
24hrsby7.com
andreygrizenko.online
liveincrestline.com
wearecdi.com
imagestexas.com
tranz4mations.com
helixcoffeehouse.com
investmentresourcesaz.com
a-miin.com
marisadelucia.com
minileprix.com
salesfunnelfairy.net
necroticpowerful.xyz
devarista.tech
peterbreuer.com
greenlandbuilders.com
davidgaleano.com
redfalken.com
idiocy.online
noahbrewer.net
alkhaleejnews.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3096-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3096-16-0x000000000041EAE0-mapping.dmp formbook behavioral2/memory/2096-25-0x0000000000DA0000-0x0000000000DCE000-memory.dmp formbook -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
worked.exeworked.exemsiexec.exedescription pid process target process PID 412 set thread context of 3096 412 worked.exe worked.exe PID 3096 set thread context of 1680 3096 worked.exe Explorer.EXE PID 2096 set thread context of 1680 2096 msiexec.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
worked.exeworked.exemsiexec.exepid process 412 worked.exe 3096 worked.exe 3096 worked.exe 3096 worked.exe 3096 worked.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe 2096 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
worked.exemsiexec.exepid process 3096 worked.exe 3096 worked.exe 3096 worked.exe 2096 msiexec.exe 2096 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
worked.exeworked.exemsiexec.exedescription pid process Token: SeDebugPrivilege 412 worked.exe Token: SeDebugPrivilege 3096 worked.exe Token: SeDebugPrivilege 2096 msiexec.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1680 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
worked.exeExplorer.EXEmsiexec.exedescription pid process target process PID 412 wrote to memory of 3616 412 worked.exe schtasks.exe PID 412 wrote to memory of 3616 412 worked.exe schtasks.exe PID 412 wrote to memory of 3616 412 worked.exe schtasks.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 412 wrote to memory of 3096 412 worked.exe worked.exe PID 1680 wrote to memory of 2096 1680 Explorer.EXE msiexec.exe PID 1680 wrote to memory of 2096 1680 Explorer.EXE msiexec.exe PID 1680 wrote to memory of 2096 1680 Explorer.EXE msiexec.exe PID 2096 wrote to memory of 580 2096 msiexec.exe cmd.exe PID 2096 wrote to memory of 580 2096 msiexec.exe cmd.exe PID 2096 wrote to memory of 580 2096 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZrPLNaWRaF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5489.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\worked.exe"C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\worked.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5489.tmpMD5
e8b55c40a55ae41e892c7f92c6d76ad1
SHA13c599446287e60195dd1175b48124cba6b88fa64
SHA256da2c540c42ccbad5f8e7a77f42e85ee56d3c9da98f04bfdc5802c61fd14c7dd2
SHA51205d39576057512657e9a3576a585b4ad1800a6f4187c1c9381407eb8466d97044975a7e513082b35e05380821bb7f5d1c5cd4cb2ed91c761b379cbfeaf5d28a9
-
memory/412-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/412-5-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/412-6-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/412-7-0x0000000007E50000-0x0000000007E51000-memory.dmpFilesize
4KB
-
memory/412-8-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/412-9-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/412-10-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/412-11-0x00000000080C0000-0x00000000080E3000-memory.dmpFilesize
140KB
-
memory/412-12-0x0000000008AF0000-0x0000000008B56000-memory.dmpFilesize
408KB
-
memory/412-2-0x0000000073970000-0x000000007405E000-memory.dmpFilesize
6.9MB
-
memory/580-23-0x0000000000000000-mapping.dmp
-
memory/1680-21-0x0000000005FD0000-0x0000000006122000-memory.dmpFilesize
1.3MB
-
memory/1680-29-0x0000000002BA0000-0x0000000002C75000-memory.dmpFilesize
852KB
-
memory/2096-22-0x0000000000000000-mapping.dmp
-
memory/2096-25-0x0000000000DA0000-0x0000000000DCE000-memory.dmpFilesize
184KB
-
memory/2096-24-0x0000000000F10000-0x0000000000F22000-memory.dmpFilesize
72KB
-
memory/2096-26-0x0000000004F90000-0x00000000052B0000-memory.dmpFilesize
3.1MB
-
memory/2096-28-0x0000000004DF0000-0x0000000004E83000-memory.dmpFilesize
588KB
-
memory/3096-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3096-16-0x000000000041EAE0-mapping.dmp
-
memory/3096-20-0x0000000001100000-0x0000000001114000-memory.dmpFilesize
80KB
-
memory/3096-19-0x0000000001400000-0x0000000001720000-memory.dmpFilesize
3.1MB
-
memory/3616-13-0x0000000000000000-mapping.dmp