Analysis
-
max time kernel
108s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 21:23
Static task
static1
General
-
Target
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
-
Size
58KB
-
MD5
f2b6d04e02cd293d0743c419211ce6b7
-
SHA1
6f0120d0f57162680a5951741c9befbe21ee7e6f
-
SHA256
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133
-
SHA512
bdbda94f442557de6752fe4806ec5ea9157e895006b6986817a6b1ca1c08d5c465290ee6eac90cb58c087afee973bf201ac4062fb22a13eaa8bdb15144b0f37c
Malware Config
Extracted
formbook
4.1
wieh
rosevillepress.com
diegodeoviedo.com
karanganbungabandungcimahi.com
skeletonnation.net
tihudez.xyz
idaz2.xyz
highcaliberperformance.com
serfoe.com
envisioneyecare.net
bj-htjy360.com
turkiyeekonomiyikonusuyor.com
nationsassociation.online
matesmeltingpot.com
7haof.com
burkhardhomes.com
candyhunks.com
internationalafrican.school
harsors.com
themarketstore.xyz
yulmarket.com
nlowsw.com
cglvyoxu.com
yourdreamsoffers.com
tenniswired.com
bahrfuuss.com
faw-vw-dns.com
3855flad.com
turningvmkedr.online
geargiare.tech
dr-walther.com
weddingsbyiceberg.com
liberalref.com
offroadtogether.online
aonoti.com
clinscienceusa.com
y8dv.xyz
dm107.com
iwantcocke.com
daybreaklandscapers.com
oceanic-sauna.online
dsknit.com
xn--kzlarndkkan-zhb69deah.com
skillga.com
laxicarecrew.com
xn--p5q783a.com
tingaco.com
xmoda.online
findavetnearme.com
libertycointoken.com
mebajaft.com
giaohanggiaretetkiemhcm.com
go2payme.com
meltpointplastics.store
relativewifi.com
memg.xyz
drivenowapproved.com
liesandmisperceptions.com
pointsair.com
bymiwachan.com
tamirestanco.com
confessingamiracle.com
sparrowy.info
writebraincommunications.com
eastvastness.com
ovince.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4088-132-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exedescription pid process target process PID 2064 set thread context of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1220 timeout.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exed44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exepid process 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe 4088 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe 4088 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exedescription pid process Token: SeDebugPrivilege 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.execmd.exedescription pid process target process PID 2064 wrote to memory of 2904 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe cmd.exe PID 2064 wrote to memory of 2904 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe cmd.exe PID 2064 wrote to memory of 2904 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe cmd.exe PID 2904 wrote to memory of 1220 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 1220 2904 cmd.exe timeout.exe PID 2904 wrote to memory of 1220 2904 cmd.exe timeout.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe PID 2064 wrote to memory of 4088 2064 d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe"C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout 192⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 193⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exeC:\Users\Admin\AppData\Local\Temp\d44f233d2ef931ed5471cf2be98fb8c2afd6754200f6a46585c2b3114b05e133.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe d07311c9ef5f3fe251e8bfc4e6bcc8fd 2URH+vHQFkGkbEY8QnWCgQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵