Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2023 12:29
Static task
static1
Behavioral task
behavioral1
Sample
50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
Resource
win7-20230220-en
General
-
Target
50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
-
Size
349KB
-
MD5
ba645c8235d19c8407c81d62470eedf8
-
SHA1
9b78b515d6869753e2bb3e46d1307deccef79e57
-
SHA256
50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d
-
SHA512
7efa198fd976f2660fc033f708739c003210ae88e50938abec6ce919e85246ca4a6d4f3db0e105b16094b08a68ad1234b5986cfed43c90b239369a46e95a65de
-
SSDEEP
6144:jYa6a3R6bVzifniXpVKRNQfgwq+DMhfii10dqeH+QE:jY03RYV+Op8Ugwq+HiSg0PE
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3760-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3760-149-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/480-152-0x0000000000790000-0x00000000007BF000-memory.dmp formbook behavioral2/memory/480-154-0x0000000000790000-0x00000000007BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
evmxs.exeevmxs.exepid process 2188 evmxs.exe 3760 evmxs.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
evmxs.exeevmxs.exewlanext.exedescription pid process target process PID 2188 set thread context of 3760 2188 evmxs.exe evmxs.exe PID 3760 set thread context of 3148 3760 evmxs.exe Explorer.EXE PID 480 set thread context of 3148 480 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
evmxs.exewlanext.exepid process 3760 evmxs.exe 3760 evmxs.exe 3760 evmxs.exe 3760 evmxs.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3148 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
evmxs.exeevmxs.exewlanext.exepid process 2188 evmxs.exe 3760 evmxs.exe 3760 evmxs.exe 3760 evmxs.exe 480 wlanext.exe 480 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
evmxs.exewlanext.exedescription pid process Token: SeDebugPrivilege 3760 evmxs.exe Token: SeDebugPrivilege 480 wlanext.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exeevmxs.exeExplorer.EXEwlanext.exedescription pid process target process PID 2000 wrote to memory of 2188 2000 50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe evmxs.exe PID 2000 wrote to memory of 2188 2000 50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe evmxs.exe PID 2000 wrote to memory of 2188 2000 50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe evmxs.exe PID 2188 wrote to memory of 3760 2188 evmxs.exe evmxs.exe PID 2188 wrote to memory of 3760 2188 evmxs.exe evmxs.exe PID 2188 wrote to memory of 3760 2188 evmxs.exe evmxs.exe PID 2188 wrote to memory of 3760 2188 evmxs.exe evmxs.exe PID 3148 wrote to memory of 480 3148 Explorer.EXE wlanext.exe PID 3148 wrote to memory of 480 3148 Explorer.EXE wlanext.exe PID 3148 wrote to memory of 480 3148 Explorer.EXE wlanext.exe PID 480 wrote to memory of 3788 480 wlanext.exe cmd.exe PID 480 wrote to memory of 3788 480 wlanext.exe cmd.exe PID 480 wrote to memory of 3788 480 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe"C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\evmxs.exe"C:\Users\Admin\AppData\Local\Temp\evmxs.exe" C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbc3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\evmxs.exe"C:\Users\Admin\AppData\Local\Temp\evmxs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\evmxs.exe"3⤵PID:3788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\evmxs.exeFilesize
97KB
MD5ea54c194d2a03380c618bcb23669b78d
SHA12aa690e0d3091c736b5557c6462b75f68f06cd90
SHA256bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1
SHA51211879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305
-
C:\Users\Admin\AppData\Local\Temp\evmxs.exeFilesize
97KB
MD5ea54c194d2a03380c618bcb23669b78d
SHA12aa690e0d3091c736b5557c6462b75f68f06cd90
SHA256bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1
SHA51211879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305
-
C:\Users\Admin\AppData\Local\Temp\evmxs.exeFilesize
97KB
MD5ea54c194d2a03380c618bcb23669b78d
SHA12aa690e0d3091c736b5557c6462b75f68f06cd90
SHA256bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1
SHA51211879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305
-
C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbcFilesize
6KB
MD5ff107dc03a00167424fec76cde7e8f78
SHA1481d9285d50accef703baa71f56ce21359839cac
SHA2569845f5fdaf0d4ccb3994540839f7eb9159d2ef1c93a01349f54974ebc214d591
SHA51246542520a849ba3ab34958f656498cd72505af13141f9b90f692ae24acc2e2670eb95a942f7d67c1c55878a110ed6a9cbbe50e1ddd31339228a46d651b112325
-
C:\Users\Admin\AppData\Local\Temp\rcngsrdjmk.xFilesize
205KB
MD584da0b4d575e5b8f9fb6963ac4b5c1f8
SHA199662624073ee572fd5ca216c57ee216497ceb85
SHA25682b34d99484accb13f617e6c4bce37a897f2713b3ad958e3518eb3ea04614af3
SHA512296f66e1a7d177d4fe38e10c42a5085f6579e2fa1752189c6bd54905506ca01f5bfbfc697dbe11f9aebc809547cb39cd824b891f535925483da2e76a8c174474
-
memory/480-152-0x0000000000790000-0x00000000007BF000-memory.dmpFilesize
188KB
-
memory/480-156-0x0000000000ED0000-0x0000000000F64000-memory.dmpFilesize
592KB
-
memory/480-148-0x0000000000890000-0x00000000008A7000-memory.dmpFilesize
92KB
-
memory/480-151-0x0000000000890000-0x00000000008A7000-memory.dmpFilesize
92KB
-
memory/480-153-0x0000000001160000-0x00000000014AA000-memory.dmpFilesize
3.3MB
-
memory/480-154-0x0000000000790000-0x00000000007BF000-memory.dmpFilesize
188KB
-
memory/3148-160-0x0000000008140000-0x000000000825D000-memory.dmpFilesize
1.1MB
-
memory/3148-147-0x00000000028E0000-0x00000000029AE000-memory.dmpFilesize
824KB
-
memory/3148-158-0x0000000008140000-0x000000000825D000-memory.dmpFilesize
1.1MB
-
memory/3148-157-0x0000000008140000-0x000000000825D000-memory.dmpFilesize
1.1MB
-
memory/3760-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3760-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3760-145-0x0000000001930000-0x0000000001C7A000-memory.dmpFilesize
3.3MB
-
memory/3760-146-0x00000000018E0000-0x00000000018F5000-memory.dmpFilesize
84KB