Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Swift.exe
Resource
win7-20220812-en
General
-
Target
Swift.exe
-
Size
221KB
-
MD5
0202c53a04751949b148ac5eab59030e
-
SHA1
32febcf0ec3e26a2852a677a1e0f80a520844ee4
-
SHA256
ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4
-
SHA512
07ea4cb41cbd1860ee7a9ff87b949372735f62e4e3dab916b2cc0493e5f1748cf64534afe454c81c06982d9b2c7e6a7bedaa72132b381c3f24da746cfec1dab6
-
SSDEEP
6144:MEa0Nyh7Uk49DgIyU3wmtax8+3AdmVsrPW1QBho5p:XUUk49DgIyU3Bp4HVQs4o7
Malware Config
Extracted
formbook
4.1
b31b
deltafxtrading.com
alisonangl.com
cdfqs.com
easyentry.vip
dentalinfodomain.com
hiphoppianyc.com
pools-62911.com
supportteam26589.site
delldaypa.one
szanody.com
diaper-basket.art
ffscollab.com
freediverconnect.com
namesbrun.com
theprimone.top
lenzolab.com
cikmas.com
genyuei-no.space
hellofstyle.com
lamagall.com
hallmarktb.com
hifebou7.info
sex5a.finance
printrynner.com
powerrestorationllc.com
hirefiz.com
uninvitedempire.com
alpinemaintenance.online
ppcadshub.com
looking4.tours
dirtyhandsmedia.com
capishe.website
cachorrospitbull.com
mythic-authentication.online
nordingcave.online
gremep.online
tryufabetcasino.com
premiumciso.com
powerful70s.com
myminecraftrealm.com
bssurgery.com
steel-pcint.com
iokailyjewelry.com
barmanon5.pro
kcrsw.com
9393xx38.app
kochen-mit-induktion.com
indtradors.store
giaxevn.info
trungtambaohanhariston.com
fulili.com
crgabions.com
matomekoubou.com
duaidapduapjdp.site
invissiblefriends.com
cy3.space
idqoft.com
jamal53153.com
lemagnetix.com
anthroaction.com
uspcff.top
supplierdir.com
counterpoint.online
zarl.tech
cdlcapitolsolutions.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1660-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1684-145-0x00000000008C0000-0x00000000008EF000-memory.dmp formbook behavioral2/memory/1684-148-0x00000000008C0000-0x00000000008EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
idxgunu.exeidxgunu.exepid process 3228 idxgunu.exe 1660 idxgunu.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
idxgunu.exeidxgunu.exeWWAHost.exedescription pid process target process PID 3228 set thread context of 1660 3228 idxgunu.exe idxgunu.exe PID 1660 set thread context of 764 1660 idxgunu.exe Explorer.EXE PID 1684 set thread context of 764 1684 WWAHost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
idxgunu.exeWWAHost.exepid process 1660 idxgunu.exe 1660 idxgunu.exe 1660 idxgunu.exe 1660 idxgunu.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe 1684 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 764 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
idxgunu.exeidxgunu.exeWWAHost.exepid process 3228 idxgunu.exe 1660 idxgunu.exe 1660 idxgunu.exe 1660 idxgunu.exe 1684 WWAHost.exe 1684 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
idxgunu.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 1660 idxgunu.exe Token: SeDebugPrivilege 1684 WWAHost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 764 Explorer.EXE 764 Explorer.EXE 764 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 764 Explorer.EXE 764 Explorer.EXE 764 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Swift.exeidxgunu.exeExplorer.EXEWWAHost.exedescription pid process target process PID 1324 wrote to memory of 3228 1324 Swift.exe idxgunu.exe PID 1324 wrote to memory of 3228 1324 Swift.exe idxgunu.exe PID 1324 wrote to memory of 3228 1324 Swift.exe idxgunu.exe PID 3228 wrote to memory of 1660 3228 idxgunu.exe idxgunu.exe PID 3228 wrote to memory of 1660 3228 idxgunu.exe idxgunu.exe PID 3228 wrote to memory of 1660 3228 idxgunu.exe idxgunu.exe PID 3228 wrote to memory of 1660 3228 idxgunu.exe idxgunu.exe PID 764 wrote to memory of 1684 764 Explorer.EXE WWAHost.exe PID 764 wrote to memory of 1684 764 Explorer.EXE WWAHost.exe PID 764 wrote to memory of 1684 764 Explorer.EXE WWAHost.exe PID 1684 wrote to memory of 3356 1684 WWAHost.exe cmd.exe PID 1684 wrote to memory of 3356 1684 WWAHost.exe cmd.exe PID 1684 wrote to memory of 3356 1684 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift.exe"C:\Users\Admin\AppData\Local\Temp\Swift.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aznhzp.mbaFilesize
185KB
MD5b3581defa6b04b02ec74081ebe1cdf25
SHA1f721fca7fb1c097f954db044ca05f39482f65c2d
SHA256fdaba24d7be4cacecfc6068d585d8135138d35d4513047beabd35ecdc567c106
SHA512f351cbb5818e4b9c171fe9ac9b4ee342f6a2d30e7e818a684c98668f3f356d2558d65ffcf97ab14da252dc830824ffeeb905c91962cc0e65d8236799e775fa4b
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\idxgunu.exeFilesize
7KB
MD58748279bd1a60b520e0f062016b094e8
SHA178c8a552dd69b232715981c3eac3c1c2ec224f38
SHA2566875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd
SHA5127f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7
-
C:\Users\Admin\AppData\Local\Temp\jdgedcev.bxFilesize
5KB
MD518e2b6cac2a0ea0a11fad297712721bc
SHA18c947c4d4a6e53f30eac64c7e830f325cee6775a
SHA2561d8d7c32217eed7730b45b61ed0f98586b38f09c2b5ff8aa6292e1a40ff71e4d
SHA51272d658d15e6b0a418cf41c3cafe050cd59e5036c91ce7c54bdcd7be3c9761a54d620688d60bd315fe4466b6051e329be9010e245628dfabb9c3cc89c43c2b7a8
-
memory/764-142-0x0000000002DF0000-0x0000000002ED6000-memory.dmpFilesize
920KB
-
memory/764-151-0x00000000081A0000-0x00000000082A0000-memory.dmpFilesize
1024KB
-
memory/764-150-0x00000000081A0000-0x00000000082A0000-memory.dmpFilesize
1024KB
-
memory/1660-137-0x0000000000000000-mapping.dmp
-
memory/1660-141-0x00000000009A0000-0x00000000009B4000-memory.dmpFilesize
80KB
-
memory/1660-140-0x00000000012C0000-0x000000000160A000-memory.dmpFilesize
3.3MB
-
memory/1660-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1684-143-0x0000000000000000-mapping.dmp
-
memory/1684-145-0x00000000008C0000-0x00000000008EF000-memory.dmpFilesize
188KB
-
memory/1684-144-0x00000000002F0000-0x00000000003CC000-memory.dmpFilesize
880KB
-
memory/1684-147-0x00000000013A0000-0x00000000016EA000-memory.dmpFilesize
3.3MB
-
memory/1684-148-0x00000000008C0000-0x00000000008EF000-memory.dmpFilesize
188KB
-
memory/1684-149-0x00000000011E0000-0x0000000001273000-memory.dmpFilesize
588KB
-
memory/3228-132-0x0000000000000000-mapping.dmp
-
memory/3356-146-0x0000000000000000-mapping.dmp