Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07-09-2023 06:16
Static task
static1
Behavioral task
behavioral1
Sample
PAIN-Forms.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
PAIN-Forms.exe
Resource
win10v2004-20230831-en
General
-
Target
PAIN-Forms.exe
-
Size
112KB
-
MD5
a9db678b7bad6d2bae54505759452dd9
-
SHA1
b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
-
SHA256
5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
-
SHA512
641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
SSDEEP
1536:I7saA2chvktTeipnA5+PYpaqjxqYbKZCrXgMeYA5+PeOQT:I620vkt5pnAwlexvbKZwtAwET
Malware Config
Extracted
bitrat
1.38
smgqnt3eixxksasu.xyz:1234
-
communication_password
30afda4853ef5b1bc36463ba95d84247
-
tor_process
tor
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2564 wWIidCwf27qXkfMW.exe 1756 wWIidCwf27qXkfMW.exe -
Loads dropped DLL 5 IoCs
pid Process 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2564 wWIidCwf27qXkfMW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAIN-Forms = "C:\\Users\\Admin\\Documents\\PAIN-Forms.pif" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWIidCwf27qXkfMW = "C:\\Users\\Admin\\Documents\\wWIidCwf27qXkfMW.pif" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe 1756 wWIidCwf27qXkfMW.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1288 set thread context of 2636 1288 PAIN-Forms.exe 35 PID 2564 set thread context of 1756 2564 wWIidCwf27qXkfMW.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 1288 PAIN-Forms.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe 2564 wWIidCwf27qXkfMW.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1288 PAIN-Forms.exe Token: SeDebugPrivilege 2636 PAIN-Forms.exe Token: SeShutdownPrivilege 2636 PAIN-Forms.exe Token: SeDebugPrivilege 2564 wWIidCwf27qXkfMW.exe Token: SeDebugPrivilege 1756 wWIidCwf27qXkfMW.exe Token: SeShutdownPrivilege 1756 wWIidCwf27qXkfMW.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2636 PAIN-Forms.exe 2636 PAIN-Forms.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2908 1288 PAIN-Forms.exe 28 PID 1288 wrote to memory of 2908 1288 PAIN-Forms.exe 28 PID 1288 wrote to memory of 2908 1288 PAIN-Forms.exe 28 PID 1288 wrote to memory of 2908 1288 PAIN-Forms.exe 28 PID 2908 wrote to memory of 1480 2908 cmd.exe 30 PID 2908 wrote to memory of 1480 2908 cmd.exe 30 PID 2908 wrote to memory of 1480 2908 cmd.exe 30 PID 2908 wrote to memory of 1480 2908 cmd.exe 30 PID 1288 wrote to memory of 2480 1288 PAIN-Forms.exe 34 PID 1288 wrote to memory of 2480 1288 PAIN-Forms.exe 34 PID 1288 wrote to memory of 2480 1288 PAIN-Forms.exe 34 PID 1288 wrote to memory of 2480 1288 PAIN-Forms.exe 34 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 1288 wrote to memory of 2636 1288 PAIN-Forms.exe 35 PID 2636 wrote to memory of 2564 2636 PAIN-Forms.exe 37 PID 2636 wrote to memory of 2564 2636 PAIN-Forms.exe 37 PID 2636 wrote to memory of 2564 2636 PAIN-Forms.exe 37 PID 2636 wrote to memory of 2564 2636 PAIN-Forms.exe 37 PID 2564 wrote to memory of 1824 2564 wWIidCwf27qXkfMW.exe 40 PID 2564 wrote to memory of 1824 2564 wWIidCwf27qXkfMW.exe 40 PID 2564 wrote to memory of 1824 2564 wWIidCwf27qXkfMW.exe 40 PID 2564 wrote to memory of 1824 2564 wWIidCwf27qXkfMW.exe 40 PID 1824 wrote to memory of 2196 1824 cmd.exe 41 PID 1824 wrote to memory of 2196 1824 cmd.exe 41 PID 1824 wrote to memory of 2196 1824 cmd.exe 41 PID 1824 wrote to memory of 2196 1824 cmd.exe 41 PID 2564 wrote to memory of 756 2564 wWIidCwf27qXkfMW.exe 42 PID 2564 wrote to memory of 756 2564 wWIidCwf27qXkfMW.exe 42 PID 2564 wrote to memory of 756 2564 wWIidCwf27qXkfMW.exe 42 PID 2564 wrote to memory of 756 2564 wWIidCwf27qXkfMW.exe 42 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44 PID 2564 wrote to memory of 1756 2564 wWIidCwf27qXkfMW.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"3⤵
- Adds Run key to start application
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe" "C:\Users\Admin\Documents\PAIN-Forms.pif"2⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\wWIidCwf27qXkfMW.exe"C:\Users\Admin\AppData\Local\Temp\wWIidCwf27qXkfMW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wWIidCwf27qXkfMW" /t REG_SZ /F /D "C:\Users\Admin\Documents\wWIidCwf27qXkfMW.pif"4⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wWIidCwf27qXkfMW" /t REG_SZ /F /D "C:\Users\Admin\Documents\wWIidCwf27qXkfMW.pif"5⤵
- Adds Run key to start application
PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\wWIidCwf27qXkfMW.exe" "C:\Users\Admin\Documents\wWIidCwf27qXkfMW.pif"4⤵PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\wWIidCwf27qXkfMW.exe"C:\Users\Admin\AppData\Local\Temp\wWIidCwf27qXkfMW.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\PAIN-Forms[1].exe
Filesize112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a