Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 14:16
Static task
static1
Behavioral task
behavioral1
Sample
shelamas3.1.exe
Resource
win7-20221111-en
General
-
Target
shelamas3.1.exe
-
Size
511KB
-
MD5
7994c54a4717446039c90d9f5e63d4ce
-
SHA1
18f5bc70c635da9b95e47898f0313758e225a380
-
SHA256
037d18a0489c63d5d9ba87f8ea9652c511df0787eb9d8fe361cfab7f93e03582
-
SHA512
69dc8129beeb15632ea7ea8c63d95bd1a08c8fb3aaacf7344d3ec01bd9efd9f5e6f4dd9e540c159c83a25bcf0003caa57ed944351e6a20c769e124302a0ea5af
-
SSDEEP
12288:nEUfI55vi6nBA+FrSbH/PJ8jevCPyyYmYj:npYnnBA+FG7/h8jeKPtYtj
Malware Config
Extracted
formbook
4.1
sk19
21diasdegratitud.com
kx1993.com
chasergt.com
837news.com
naturagent.co.uk
gatorinsurtech.com
iyaboolashilesblog.africa
jamtanganmurah.online
gguminsa.com
lilliesdrop.com
lenvera.com
link48.co.uk
azinos777.fun
lgcdct.cfd
bg-gobtc.com
livecarrer.uk
cbq4u.com
imalreadygone.com
wabeng.africa
jxmheiyouyuetot.tokyo
atrikvde.xyz
ceopxb.com
autovincert.com
18traversplace.com
internetmedianews.com
entersight.net
guzmanshandymanservicesllc.com
gqqwdz.com
emeraldpathjewelery.com
flowmoneycode.online
gaziantepmedicalpointanket.com
111lll.xyz
irkwood138.site
abovegross.com
shopabeee.co.uk
greenvalleyfoodusa.com
dd-canada.com
libertysminings.com
baronsaccommodation.co.uk
kareto.buzz
freeexercisecoalition.com
73129.vip
avanteventexperiences.com
comercialdiabens.fun
nondescript.uk
facal.dev
detox-71934.com
kovar.club
jetsparking.com
infocuspublicidad.com
xxhcom.com
indianvoltage.com
becrownedllc.com
3744palosverdes.com
gospelnative.africa
linkmastermind.com
cotgfp.com
lousweigman.com
cantoaffine.online
debbiepatrickdesigns.com
766626.com
webcubemedia.africa
autonomaat.com
hannahmarsh.co.uk
justbeand.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2440-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2440-145-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3436-149-0x0000000000500000-0x000000000052F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
okkofadc.exeokkofadc.exepid process 4420 okkofadc.exe 2440 okkofadc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
okkofadc.exeokkofadc.execontrol.exedescription pid process target process PID 4420 set thread context of 2440 4420 okkofadc.exe okkofadc.exe PID 2440 set thread context of 2724 2440 okkofadc.exe Explorer.EXE PID 2440 set thread context of 2724 2440 okkofadc.exe Explorer.EXE PID 3436 set thread context of 2724 3436 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
okkofadc.execontrol.exepid process 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe 3436 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
okkofadc.exeokkofadc.execontrol.exepid process 4420 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 2440 okkofadc.exe 3436 control.exe 3436 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
okkofadc.execontrol.exedescription pid process Token: SeDebugPrivilege 2440 okkofadc.exe Token: SeDebugPrivilege 3436 control.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
shelamas3.1.exeokkofadc.exeokkofadc.exeExplorer.EXEcontrol.exedescription pid process target process PID 4192 wrote to memory of 4420 4192 shelamas3.1.exe okkofadc.exe PID 4192 wrote to memory of 4420 4192 shelamas3.1.exe okkofadc.exe PID 4192 wrote to memory of 4420 4192 shelamas3.1.exe okkofadc.exe PID 4420 wrote to memory of 2440 4420 okkofadc.exe okkofadc.exe PID 4420 wrote to memory of 2440 4420 okkofadc.exe okkofadc.exe PID 4420 wrote to memory of 2440 4420 okkofadc.exe okkofadc.exe PID 4420 wrote to memory of 2440 4420 okkofadc.exe okkofadc.exe PID 2440 wrote to memory of 3436 2440 okkofadc.exe control.exe PID 2440 wrote to memory of 3436 2440 okkofadc.exe control.exe PID 2440 wrote to memory of 3436 2440 okkofadc.exe control.exe PID 2724 wrote to memory of 4756 2724 Explorer.EXE WWAHost.exe PID 2724 wrote to memory of 4756 2724 Explorer.EXE WWAHost.exe PID 2724 wrote to memory of 4756 2724 Explorer.EXE WWAHost.exe PID 3436 wrote to memory of 4472 3436 control.exe cmd.exe PID 3436 wrote to memory of 4472 3436 control.exe cmd.exe PID 3436 wrote to memory of 4472 3436 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe"C:\Users\Admin\AppData\Local\Temp\shelamas3.1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe" C:\Users\Admin\AppData\Local\Temp\xhyjiy.m3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\okkofadc.exe"6⤵PID:4472
-
-
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3080
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵PID:4756
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5fb30577d40cca07b0f963ab502e29e67
SHA1648337acbbf654bde51db56bce0eeeb04b0d1ede
SHA25624cf1f1d4fe2420ac79df368d25760da7557e1a2b006f006effb2c93f90a70af
SHA512598a84eb62b7e191248ab6fbfa26903883ca84365b8112b4cb67de59c9e0c38a4a77a703d84763f9b97cfabe8c15f4f1c8d7417398b0cd08ef269f0225612134
-
Filesize
267KB
MD5863b7a8eb137b0fd9a36296c249936a5
SHA1e42b00e887f8303e19dfd9e6484150f9fccc6873
SHA2560a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15
SHA5124682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888
-
Filesize
267KB
MD5863b7a8eb137b0fd9a36296c249936a5
SHA1e42b00e887f8303e19dfd9e6484150f9fccc6873
SHA2560a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15
SHA5124682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888
-
Filesize
267KB
MD5863b7a8eb137b0fd9a36296c249936a5
SHA1e42b00e887f8303e19dfd9e6484150f9fccc6873
SHA2560a8372ac64cf7348a7d146d500c6a05b888d7423959223aa8e4c3e3083694f15
SHA5124682494dd04873ec102adec9831cafb932cbffb31054bf14ee3af9e4992513b4e0598e72be5ff1f6a3f8e84b89194290ced3cf3f11cde8700992de714cec7888
-
Filesize
5KB
MD56944d66e289600d634edd3e655a5db7f
SHA1f1b0afb77e54a2a00a9ed14d5f3aa4c2d9f4fb50
SHA2568be7f4956d97276582a10a532e191b4cdab77e768bccf7979acf7533e2811f50
SHA5125de4087a5f8e263325d0ba0c1336fcf20deeb0b607ec23ae9adfb540cea5ab3de5f8c5e6585f77c42ab88bc504019f95012d778fa4dca31646d77ddb13e458e5