Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2023 06:16
Static task
static1
Behavioral task
behavioral1
Sample
PAIN-Forms.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
PAIN-Forms.exe
Resource
win10v2004-20230831-en
General
-
Target
PAIN-Forms.exe
-
Size
112KB
-
MD5
a9db678b7bad6d2bae54505759452dd9
-
SHA1
b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
-
SHA256
5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
-
SHA512
641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
SSDEEP
1536:I7saA2chvktTeipnA5+PYpaqjxqYbKZCrXgMeYA5+PeOQT:I620vkt5pnAwlexvbKZwtAwET
Malware Config
Extracted
bitrat
1.38
smgqnt3eixxksasu.xyz:1234
-
communication_password
30afda4853ef5b1bc36463ba95d84247
-
tor_process
tor
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation PAIN-Forms.exe -
Executes dropped EXE 3 IoCs
pid Process 2976 zsQJUX9RMTSFoXme.exe 4280 zsQJUX9RMTSFoXme.exe 3708 zsQJUX9RMTSFoXme.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAIN-Forms = "C:\\Users\\Admin\\Documents\\PAIN-Forms.pif" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zsQJUX9RMTSFoXme = "C:\\Users\\Admin\\Documents\\zsQJUX9RMTSFoXme.pif" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 5088 PAIN-Forms.exe 5088 PAIN-Forms.exe 5088 PAIN-Forms.exe 5088 PAIN-Forms.exe 5088 PAIN-Forms.exe 3708 zsQJUX9RMTSFoXme.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4212 set thread context of 5088 4212 PAIN-Forms.exe 92 PID 2976 set thread context of 3708 2976 zsQJUX9RMTSFoXme.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 4212 PAIN-Forms.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe 2976 zsQJUX9RMTSFoXme.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4212 PAIN-Forms.exe Token: SeShutdownPrivilege 5088 PAIN-Forms.exe Token: SeDebugPrivilege 2976 zsQJUX9RMTSFoXme.exe Token: SeShutdownPrivilege 3708 zsQJUX9RMTSFoXme.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5088 PAIN-Forms.exe 5088 PAIN-Forms.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4268 4212 PAIN-Forms.exe 87 PID 4212 wrote to memory of 4268 4212 PAIN-Forms.exe 87 PID 4212 wrote to memory of 4268 4212 PAIN-Forms.exe 87 PID 4268 wrote to memory of 1188 4268 cmd.exe 89 PID 4268 wrote to memory of 1188 4268 cmd.exe 89 PID 4268 wrote to memory of 1188 4268 cmd.exe 89 PID 4212 wrote to memory of 4476 4212 PAIN-Forms.exe 90 PID 4212 wrote to memory of 4476 4212 PAIN-Forms.exe 90 PID 4212 wrote to memory of 4476 4212 PAIN-Forms.exe 90 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 4212 wrote to memory of 5088 4212 PAIN-Forms.exe 92 PID 5088 wrote to memory of 2976 5088 PAIN-Forms.exe 96 PID 5088 wrote to memory of 2976 5088 PAIN-Forms.exe 96 PID 5088 wrote to memory of 2976 5088 PAIN-Forms.exe 96 PID 2976 wrote to memory of 560 2976 zsQJUX9RMTSFoXme.exe 98 PID 2976 wrote to memory of 560 2976 zsQJUX9RMTSFoXme.exe 98 PID 2976 wrote to memory of 560 2976 zsQJUX9RMTSFoXme.exe 98 PID 560 wrote to memory of 440 560 cmd.exe 100 PID 560 wrote to memory of 440 560 cmd.exe 100 PID 560 wrote to memory of 440 560 cmd.exe 100 PID 2976 wrote to memory of 2020 2976 zsQJUX9RMTSFoXme.exe 101 PID 2976 wrote to memory of 2020 2976 zsQJUX9RMTSFoXme.exe 101 PID 2976 wrote to memory of 2020 2976 zsQJUX9RMTSFoXme.exe 101 PID 2976 wrote to memory of 4280 2976 zsQJUX9RMTSFoXme.exe 103 PID 2976 wrote to memory of 4280 2976 zsQJUX9RMTSFoXme.exe 103 PID 2976 wrote to memory of 4280 2976 zsQJUX9RMTSFoXme.exe 103 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104 PID 2976 wrote to memory of 3708 2976 zsQJUX9RMTSFoXme.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"3⤵
- Adds Run key to start application
PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe" "C:\Users\Admin\Documents\PAIN-Forms.pif"2⤵PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "zsQJUX9RMTSFoXme" /t REG_SZ /F /D "C:\Users\Admin\Documents\zsQJUX9RMTSFoXme.pif"4⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "zsQJUX9RMTSFoXme" /t REG_SZ /F /D "C:\Users\Admin\Documents\zsQJUX9RMTSFoXme.pif"5⤵
- Adds Run key to start application
PID:440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe" "C:\Users\Admin\Documents\zsQJUX9RMTSFoXme.pif"4⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"4⤵
- Executes dropped EXE
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"C:\Users\Admin\AppData\Local\Temp\zsQJUX9RMTSFoXme.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
-
Filesize
112KB
MD5a9db678b7bad6d2bae54505759452dd9
SHA1b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA2565c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a