Analysis
-
max time kernel
188s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 19:07
Static task
static1
General
-
Target
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe
-
Size
530KB
-
MD5
e17b0be6e0c42a0c39c5da63523af8d8
-
SHA1
c374934cf78e71069fc628de57b3ea15fff4c36c
-
SHA256
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
-
SHA512
1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089
-
SSDEEP
6144:ukwxeWkEM+08FjAOpwh0eEnt4KHz/aOfL40QfkhzJtnXXXdxspXEWYUPwH:IHM+bsOpwh0lnt4NgIMhz3nHXTsmoPwH
Malware Config
Extracted
formbook
4.1
wh23
ow9vyvfee.com
alvis.one
mutantgobz.claims
plynofon.com
southofkingst.store
nuvidamedspa.com
coffeeforyou56.com
opaletechevents.com
momobar.life
abcmousu.com
learnicd-11.com
tipokin.xyz
kahvezevki.com
suratdimond.com
oldartists.best
infoepic.info
mattresslabo.com
skarlmotors.com
cl9319x.xyz
med49app.net
vivarellistaging2.com
gwnv.link
ogurecsbatvoi-7.online
littlelionplaycafe.com
floridaindianrivergeoves.com
eyelashacademysurrey.com
elprobetre.store
sexfan.biz
westbay.casino
carmana.store
optitude.finance
neo-hub.us
meadowwoodanimalclinic.com
ok-experts.com
magnoliabymr.com
fenomini.com
miaowu.work
skipermind.com
winstim.com
14123ninemile.com
plegablescr.com
bloommagiccbdburaliste.com
focusing-garef.com
krumobilept.com
norbercik.online
qteko.com
growupmarketingservices.com
alem-holdings.com
entreinnovator3.com
mainlydivision.space
module.live
gtrewegehwewe5.asia
jd8wme.cyou
pingacx757.com
big-teamwork.com
lesyeuxdanslespoches.com
yutighjkdfgjkd.shop
yourstoolsample.com
musntgrumble.com
jurgenremmerie.com
ebade.xyz
johnollieconstruction.com
bioprofumeria.shop
sarithebrand.com
taiguszab.online
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/400-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/400-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1288-147-0x0000000000F30000-0x0000000000F5F000-memory.dmp formbook behavioral1/memory/1288-149-0x0000000000F30000-0x0000000000F5F000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 81 1288 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
myxwn.exemyxwn.exepid process 3660 myxwn.exe 400 myxwn.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
myxwn.exemyxwn.exewscript.exedescription pid process target process PID 3660 set thread context of 400 3660 myxwn.exe myxwn.exe PID 400 set thread context of 3020 400 myxwn.exe Explorer.EXE PID 1288 set thread context of 3020 1288 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
myxwn.exewscript.exepid process 400 myxwn.exe 400 myxwn.exe 400 myxwn.exe 400 myxwn.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe 1288 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
myxwn.exemyxwn.exewscript.exepid process 3660 myxwn.exe 400 myxwn.exe 400 myxwn.exe 400 myxwn.exe 1288 wscript.exe 1288 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
myxwn.exewscript.exedescription pid process Token: SeDebugPrivilege 400 myxwn.exe Token: SeDebugPrivilege 1288 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exemyxwn.exeExplorer.EXEwscript.exedescription pid process target process PID 4268 wrote to memory of 3660 4268 7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe myxwn.exe PID 4268 wrote to memory of 3660 4268 7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe myxwn.exe PID 4268 wrote to memory of 3660 4268 7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe myxwn.exe PID 3660 wrote to memory of 400 3660 myxwn.exe myxwn.exe PID 3660 wrote to memory of 400 3660 myxwn.exe myxwn.exe PID 3660 wrote to memory of 400 3660 myxwn.exe myxwn.exe PID 3660 wrote to memory of 400 3660 myxwn.exe myxwn.exe PID 3020 wrote to memory of 1288 3020 Explorer.EXE wscript.exe PID 3020 wrote to memory of 1288 3020 Explorer.EXE wscript.exe PID 3020 wrote to memory of 1288 3020 Explorer.EXE wscript.exe PID 1288 wrote to memory of 3616 1288 wscript.exe cmd.exe PID 1288 wrote to memory of 3616 1288 wscript.exe cmd.exe PID 1288 wrote to memory of 3616 1288 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe"C:\Users\Admin\AppData\Local\Temp\7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\myxwn.exe"C:\Users\Admin\AppData\Local\Temp\myxwn.exe" C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\myxwn.exe"C:\Users\Admin\AppData\Local\Temp\myxwn.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"3⤵PID:3616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eilfol.tscFilesize
185KB
MD5663d2953e8beddc4a08aca27a1145112
SHA13293e912d9661b2736ca8d403250590eb2d5164d
SHA2562aa0a26b9a38b19c34c10e53834ec199fc87cbfea15e8babee582a3df331b9cb
SHA51230581e1321f0165abcfcc908e15877f080dad2bf7bbedb24fa8e8baee3176097d7f43c5e59076f095c3929438b4e5740e1871ab3716c338e765c4d3d011a630a
-
C:\Users\Admin\AppData\Local\Temp\getlceffch.gqbFilesize
6KB
MD5e6d82eb1bea9bca087062e488dfd575e
SHA15ec22cec8805d965d6dac1719976bef32867b595
SHA256ad495d0d0e35a6ab15c042e900e0dfc20197ef36153e15559e0fdaef4c541230
SHA5126ef986b00509140137d51f114ecdf7b92c1008c3fae513579634ed202f1fc4e34ba904db48cbf092cf8d12c0a5e84cc5b2a0d61e95c03f4006eca3f190f80fd2
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
memory/400-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/400-137-0x0000000000000000-mapping.dmp
-
memory/400-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/400-140-0x00000000009E0000-0x0000000000D2A000-memory.dmpFilesize
3.3MB
-
memory/400-141-0x00000000009C0000-0x00000000009D4000-memory.dmpFilesize
80KB
-
memory/1288-147-0x0000000000F30000-0x0000000000F5F000-memory.dmpFilesize
188KB
-
memory/1288-143-0x0000000000000000-mapping.dmp
-
memory/1288-145-0x0000000000060000-0x0000000000087000-memory.dmpFilesize
156KB
-
memory/1288-146-0x0000000002FB0000-0x00000000032FA000-memory.dmpFilesize
3.3MB
-
memory/1288-149-0x0000000000F30000-0x0000000000F5F000-memory.dmpFilesize
188KB
-
memory/1288-150-0x0000000002DF0000-0x0000000002E83000-memory.dmpFilesize
588KB
-
memory/3020-142-0x0000000002DF0000-0x0000000002F76000-memory.dmpFilesize
1.5MB
-
memory/3020-151-0x0000000003340000-0x00000000033E1000-memory.dmpFilesize
644KB
-
memory/3020-152-0x0000000003340000-0x00000000033E1000-memory.dmpFilesize
644KB
-
memory/3616-148-0x0000000000000000-mapping.dmp
-
memory/3660-132-0x0000000000000000-mapping.dmp