Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 20:03
Static task
static1
Behavioral task
behavioral1
Sample
e17b0be6e0c42a0c39c5da63523af8d8.exe
Resource
win7-20221111-en
General
-
Target
e17b0be6e0c42a0c39c5da63523af8d8.exe
-
Size
530KB
-
MD5
e17b0be6e0c42a0c39c5da63523af8d8
-
SHA1
c374934cf78e71069fc628de57b3ea15fff4c36c
-
SHA256
7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
-
SHA512
1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089
-
SSDEEP
6144:ukwxeWkEM+08FjAOpwh0eEnt4KHz/aOfL40QfkhzJtnXXXdxspXEWYUPwH:IHM+bsOpwh0lnt4NgIMhz3nHXTsmoPwH
Malware Config
Extracted
formbook
4.1
wh23
ow9vyvfee.com
alvis.one
mutantgobz.claims
plynofon.com
southofkingst.store
nuvidamedspa.com
coffeeforyou56.com
opaletechevents.com
momobar.life
abcmousu.com
learnicd-11.com
tipokin.xyz
kahvezevki.com
suratdimond.com
oldartists.best
infoepic.info
mattresslabo.com
skarlmotors.com
cl9319x.xyz
med49app.net
vivarellistaging2.com
gwnv.link
ogurecsbatvoi-7.online
littlelionplaycafe.com
floridaindianrivergeoves.com
eyelashacademysurrey.com
elprobetre.store
sexfan.biz
westbay.casino
carmana.store
optitude.finance
neo-hub.us
meadowwoodanimalclinic.com
ok-experts.com
magnoliabymr.com
fenomini.com
miaowu.work
skipermind.com
winstim.com
14123ninemile.com
plegablescr.com
bloommagiccbdburaliste.com
focusing-garef.com
krumobilept.com
norbercik.online
qteko.com
growupmarketingservices.com
alem-holdings.com
entreinnovator3.com
mainlydivision.space
module.live
gtrewegehwewe5.asia
jd8wme.cyou
pingacx757.com
big-teamwork.com
lesyeuxdanslespoches.com
yutighjkdfgjkd.shop
yourstoolsample.com
musntgrumble.com
jurgenremmerie.com
ebade.xyz
johnollieconstruction.com
bioprofumeria.shop
sarithebrand.com
taiguszab.online
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1600-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1600-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4340-146-0x0000000000B30000-0x0000000000B5F000-memory.dmp formbook behavioral2/memory/4340-151-0x0000000000B30000-0x0000000000B5F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
myxwn.exemyxwn.exepid process 2520 myxwn.exe 1600 myxwn.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
myxwn.exemyxwn.execontrol.exedescription pid process target process PID 2520 set thread context of 1600 2520 myxwn.exe myxwn.exe PID 1600 set thread context of 3048 1600 myxwn.exe Explorer.EXE PID 4340 set thread context of 3048 4340 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
myxwn.execontrol.exepid process 1600 myxwn.exe 1600 myxwn.exe 1600 myxwn.exe 1600 myxwn.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe 4340 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
myxwn.exemyxwn.execontrol.exepid process 2520 myxwn.exe 1600 myxwn.exe 1600 myxwn.exe 1600 myxwn.exe 4340 control.exe 4340 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
myxwn.execontrol.exedescription pid process Token: SeDebugPrivilege 1600 myxwn.exe Token: SeDebugPrivilege 4340 control.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
e17b0be6e0c42a0c39c5da63523af8d8.exemyxwn.exeExplorer.EXEcontrol.exedescription pid process target process PID 4372 wrote to memory of 2520 4372 e17b0be6e0c42a0c39c5da63523af8d8.exe myxwn.exe PID 4372 wrote to memory of 2520 4372 e17b0be6e0c42a0c39c5da63523af8d8.exe myxwn.exe PID 4372 wrote to memory of 2520 4372 e17b0be6e0c42a0c39c5da63523af8d8.exe myxwn.exe PID 2520 wrote to memory of 1600 2520 myxwn.exe myxwn.exe PID 2520 wrote to memory of 1600 2520 myxwn.exe myxwn.exe PID 2520 wrote to memory of 1600 2520 myxwn.exe myxwn.exe PID 2520 wrote to memory of 1600 2520 myxwn.exe myxwn.exe PID 3048 wrote to memory of 4340 3048 Explorer.EXE control.exe PID 3048 wrote to memory of 4340 3048 Explorer.EXE control.exe PID 3048 wrote to memory of 4340 3048 Explorer.EXE control.exe PID 4340 wrote to memory of 5056 4340 control.exe cmd.exe PID 4340 wrote to memory of 5056 4340 control.exe cmd.exe PID 4340 wrote to memory of 5056 4340 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\e17b0be6e0c42a0c39c5da63523af8d8.exe"C:\Users\Admin\AppData\Local\Temp\e17b0be6e0c42a0c39c5da63523af8d8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\myxwn.exe"C:\Users\Admin\AppData\Local\Temp\myxwn.exe" C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\myxwn.exe"C:\Users\Admin\AppData\Local\Temp\myxwn.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"3⤵PID:5056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eilfol.tscFilesize
185KB
MD5663d2953e8beddc4a08aca27a1145112
SHA13293e912d9661b2736ca8d403250590eb2d5164d
SHA2562aa0a26b9a38b19c34c10e53834ec199fc87cbfea15e8babee582a3df331b9cb
SHA51230581e1321f0165abcfcc908e15877f080dad2bf7bbedb24fa8e8baee3176097d7f43c5e59076f095c3929438b4e5740e1871ab3716c338e765c4d3d011a630a
-
C:\Users\Admin\AppData\Local\Temp\getlceffch.gqbFilesize
6KB
MD5e6d82eb1bea9bca087062e488dfd575e
SHA15ec22cec8805d965d6dac1719976bef32867b595
SHA256ad495d0d0e35a6ab15c042e900e0dfc20197ef36153e15559e0fdaef4c541230
SHA5126ef986b00509140137d51f114ecdf7b92c1008c3fae513579634ed202f1fc4e34ba904db48cbf092cf8d12c0a5e84cc5b2a0d61e95c03f4006eca3f190f80fd2
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
C:\Users\Admin\AppData\Local\Temp\myxwn.exeFilesize
276KB
MD52afdd35f6df6b6cbf8f3500822625d70
SHA12efd81cdd798b38908b63a7a8ae88806e5234a1d
SHA256393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8
SHA512b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359
-
memory/1600-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-137-0x0000000000000000-mapping.dmp
-
memory/1600-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1600-140-0x0000000000A90000-0x0000000000DDA000-memory.dmpFilesize
3.3MB
-
memory/1600-141-0x00000000009F0000-0x0000000000A04000-memory.dmpFilesize
80KB
-
memory/2520-132-0x0000000000000000-mapping.dmp
-
memory/3048-142-0x00000000075E0000-0x0000000007721000-memory.dmpFilesize
1.3MB
-
memory/3048-150-0x00000000024F0000-0x00000000025E0000-memory.dmpFilesize
960KB
-
memory/3048-152-0x00000000024F0000-0x00000000025E0000-memory.dmpFilesize
960KB
-
memory/4340-143-0x0000000000000000-mapping.dmp
-
memory/4340-145-0x0000000000780000-0x00000000007A7000-memory.dmpFilesize
156KB
-
memory/4340-146-0x0000000000B30000-0x0000000000B5F000-memory.dmpFilesize
188KB
-
memory/4340-148-0x0000000002CB0000-0x0000000002FFA000-memory.dmpFilesize
3.3MB
-
memory/4340-149-0x0000000002A50000-0x0000000002AE3000-memory.dmpFilesize
588KB
-
memory/4340-151-0x0000000000B30000-0x0000000000B5F000-memory.dmpFilesize
188KB
-
memory/5056-147-0x0000000000000000-mapping.dmp