Analysis
-
max time kernel
169s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
Contract Documents.exe
Resource
win7-20220414-en
General
-
Target
Contract Documents.exe
-
Size
344KB
-
MD5
376d7e1871d7d432b255403e399e6334
-
SHA1
a2a852627172066b3fbd344abdb3aa985ec35b47
-
SHA256
6348a886a9796d2fa05cd1792d8299c1a3a66e016b04a115e34c47d49415714d
-
SHA512
2bd6de7794a465193331a590145c5422ba6ec607b4ec4b98662302e8d7763d41971ee5e84c92052f056a1b8b0584461d99db7cf81b457df08f6d7ef2d5e8436b
Malware Config
Extracted
formbook
3.9
nfl
giacamp.net
qb51.party
mashalevine.com
russiasexdating.com
jitangyy.com
morockin.com
karoreiss.com
tractionhero.today
bienvenueenprovence.net
stormharbour.info
61999h.com
tryandcert.com
bestwaytosuccess.com
laobaochang.com
otomatiktente.com
rehpb.info
ivpdqb.info
dc-wv-wv-ie-q.com
goingmagic.com
cimachain.com
northernengage360.com
wastewatertreatment.systems
coinopy.com
shoudami.com
mobilbahis.world
qshkr.com
okccashforhouses.com
mattressesspot.com
fyou168.com
131bb6.com
browserangel.net
transliberte.com
bakir-sulfat.net
rossilawfirmny.com
timothy-kwan.com
sdhtxj.com
affluenttoronto.com
profile-lord.date
77eb0l.faith
worldcup.city
nytimesnews.net
sarahdigiulio.com
343manbet.com
archeryunion.com
bullitshield.com
wzhan.ink
thehamzas.info
fyrwrk.net
klassy-kinks.com
bolttorquechart.com
willingcake.com
mohameddarbal.com
e-chicha.com
healthyperfection.com
steklonti.com
beauxtaylor.com
186524.com
libertybarracks.com
urban-compositions.com
michaeljlee.net
planovafg1.com
merrint.com
416thencomassn.com
xn--2j1b95kqybe0ioxir3sl4c.com
salomdy.com
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/800-56-0x00000000004F0000-0x00000000004F8000-memory.dmp coreentity -
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-63-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1284-64-0x000000000041B620-mapping.dmp formbook behavioral1/memory/1284-66-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/964-74-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/800-57-0x00000000045F0000-0x0000000004628000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Contract Documents.exeRegSvcs.exemstsc.exedescription pid process target process PID 800 set thread context of 1284 800 Contract Documents.exe RegSvcs.exe PID 1284 set thread context of 1212 1284 RegSvcs.exe Explorer.EXE PID 964 set thread context of 1212 964 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Contract Documents.exeRegSvcs.exemstsc.exepid process 800 Contract Documents.exe 1284 RegSvcs.exe 1284 RegSvcs.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe 964 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exemstsc.exepid process 1284 RegSvcs.exe 1284 RegSvcs.exe 1284 RegSvcs.exe 964 mstsc.exe 964 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Contract Documents.exeRegSvcs.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 800 Contract Documents.exe Token: SeDebugPrivilege 1284 RegSvcs.exe Token: SeDebugPrivilege 964 mstsc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Contract Documents.exeExplorer.EXEmstsc.exedescription pid process target process PID 800 wrote to memory of 836 800 Contract Documents.exe schtasks.exe PID 800 wrote to memory of 836 800 Contract Documents.exe schtasks.exe PID 800 wrote to memory of 836 800 Contract Documents.exe schtasks.exe PID 800 wrote to memory of 836 800 Contract Documents.exe schtasks.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 800 wrote to memory of 1284 800 Contract Documents.exe RegSvcs.exe PID 1212 wrote to memory of 964 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 964 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 964 1212 Explorer.EXE mstsc.exe PID 1212 wrote to memory of 964 1212 Explorer.EXE mstsc.exe PID 964 wrote to memory of 900 964 mstsc.exe cmd.exe PID 964 wrote to memory of 900 964 mstsc.exe cmd.exe PID 964 wrote to memory of 900 964 mstsc.exe cmd.exe PID 964 wrote to memory of 900 964 mstsc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract Documents.exe"C:\Users\Admin\AppData\Local\Temp\Contract Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TSOKGNOdzysi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71E6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp71E6.tmpFilesize
1KB
MD5b164df0d5d271ed4e95a90f48174f881
SHA11ade4fdfc40289386ebad8bc8647f2f0caf76899
SHA2567e293bb1aa2318148d56f09a0a1540633dece416edc93387f3de9c6efbe65b55
SHA512ac5b4bbc54b4ec07c273c4d2e011d1bd14d650ff8614e279d05ceeb56255b63fe9522dff8eb62524ef82351da22fdf07866b34ffd9551e82deb17ea05fcbd260
-
memory/800-54-0x00000000103B0000-0x000000001040A000-memory.dmpFilesize
360KB
-
memory/800-55-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/800-56-0x00000000004F0000-0x00000000004F8000-memory.dmpFilesize
32KB
-
memory/800-57-0x00000000045F0000-0x0000000004628000-memory.dmpFilesize
224KB
-
memory/836-58-0x0000000000000000-mapping.dmp
-
memory/900-72-0x0000000000000000-mapping.dmp
-
memory/964-70-0x0000000000000000-mapping.dmp
-
memory/964-76-0x0000000000A20000-0x0000000000AB3000-memory.dmpFilesize
588KB
-
memory/964-75-0x00000000022D0000-0x00000000025D3000-memory.dmpFilesize
3.0MB
-
memory/964-74-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/964-73-0x0000000000DC0000-0x0000000000EC4000-memory.dmpFilesize
1.0MB
-
memory/1212-69-0x0000000004B30000-0x0000000004CC3000-memory.dmpFilesize
1.6MB
-
memory/1212-77-0x0000000003DD0000-0x0000000003EDB000-memory.dmpFilesize
1.0MB
-
memory/1284-61-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1284-68-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/1284-60-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1284-67-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1284-66-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1284-64-0x000000000041B620-mapping.dmp
-
memory/1284-63-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB