Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
ახალი შესყიდვის შეკვეთა pdf.exe
Resource
win7-20231020-en
General
-
Target
ახალი შესყიდვის შეკვეთა pdf.exe
-
Size
658KB
-
MD5
f891581195d4a3eb2b70d8dd5b7e2fa7
-
SHA1
ce7058980b99c9c53ef77361e27848a2c31901cf
-
SHA256
ec631a873ad900f187bc34ba3d92c950ac3d20949147104414e03096a703cc64
-
SHA512
f9791f466a1434ac754117e9bf46a22c6b2dd541fcd8bacce331184fa12886114915978f2c8a8eb3ca18a0a1273a334b975af01c9be0e7f1632c4d08ed6c7f7d
-
SSDEEP
12288:3MgFWMjgR/mZRM+ByVw9yFgbuFZMlfJJT4nhLqOxLSRPQ12WAGTeoWIGmpqNN:jjgkZR5YbOwZMtLchWOxLSRPQDHTDxu/
Malware Config
Extracted
formbook
4.1
g11y
bayivip.top
lunarrhythmsliving.com
elizabethanbello.art
plushkitchen.com
timedb.net
exploringaging.com
dreamoney.online
luvisusllc.com
strikemedialabs.com
belvederesportsclub.com
turteen.com
theofficialtrumpcards.com
x-y-z.online
otuvu.com
outhandsbpm.com
scabiosa.top
99job.store
afcxz80whz.com
mysrz3l47.top
sarekaonsaddle.com
tnzdistribution.com
paradymgym.com
ryhqd2ai.store
fre.bar
amiran.site
adventurehartford.com
elysiummania.com
aedpzjqe.click
cdgstreets.com
ipstbjj.com
gaoxiba108.com
sheildlawgroup.com
usetempest.com
coopine43.com
cloudstar.site
txa2qqt43.top
uniprocto-new.com
mccsa.cyou
flextroncis.com
polskiradio.com
faircipher.dev
reports-revolutionofbeing.com
lnmppowf.click
uyjhh.homes
buyxituo.com
joangreenedesign.com
stiffclick.com
home-box.xyz
missioncommunitychurchal.com
ewi854.com
audiimax.com
cyberplume.net
brezip.online
coronassteel.com
fxreb.store
babyshowerco.com
ovelglove.site
shoplocallytoday.com
consumer-res.com
empowerhergirlies.life
qcjunk.com
urupum.site
latidofeliz.site
63884.vip
cinelinz.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2652-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2652-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2524-36-0x00000000000A0000-0x00000000000CF000-memory.dmp formbook behavioral1/memory/2524-38-0x00000000000A0000-0x00000000000CF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2196 set thread context of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2652 set thread context of 1260 2652 RegSvcs.exe 6 PID 2524 set thread context of 1260 2524 colorcpl.exe 6 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2196 ახალი შესყიდვის შეკვეთა pdf.exe 2196 ახალი შესყიდვის შეკვეთა pdf.exe 2652 RegSvcs.exe 2652 RegSvcs.exe 2748 powershell.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe 2524 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2652 RegSvcs.exe 2652 RegSvcs.exe 2652 RegSvcs.exe 2524 colorcpl.exe 2524 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2196 ახალი შესყიდვის შეკვეთა pdf.exe Token: SeDebugPrivilege 2652 RegSvcs.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2524 colorcpl.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2748 2196 ახალი შესყიდვის შეკვეთა pdf.exe 30 PID 2196 wrote to memory of 2748 2196 ახალი შესყიდვის შეკვეთა pdf.exe 30 PID 2196 wrote to memory of 2748 2196 ახალი შესყიდვის შეკვეთა pdf.exe 30 PID 2196 wrote to memory of 2748 2196 ახალი შესყიდვის შეკვეთა pdf.exe 30 PID 2196 wrote to memory of 2740 2196 ახალი შესყიდვის შეკვეთა pdf.exe 32 PID 2196 wrote to memory of 2740 2196 ახალი შესყიდვის შეკვეთა pdf.exe 32 PID 2196 wrote to memory of 2740 2196 ახალი შესყიდვის შეკვეთა pdf.exe 32 PID 2196 wrote to memory of 2740 2196 ახალი შესყიდვის შეკვეთა pdf.exe 32 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 2196 wrote to memory of 2652 2196 ახალი შესყიდვის შეკვეთა pdf.exe 34 PID 1260 wrote to memory of 2524 1260 Explorer.EXE 35 PID 1260 wrote to memory of 2524 1260 Explorer.EXE 35 PID 1260 wrote to memory of 2524 1260 Explorer.EXE 35 PID 1260 wrote to memory of 2524 1260 Explorer.EXE 35 PID 2524 wrote to memory of 3024 2524 colorcpl.exe 36 PID 2524 wrote to memory of 3024 2524 colorcpl.exe 36 PID 2524 wrote to memory of 3024 2524 colorcpl.exe 36 PID 2524 wrote to memory of 3024 2524 colorcpl.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\idScXbUauEgmY.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\idScXbUauEgmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3256.tmp"3⤵
- Creates scheduled task(s)
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5caa4e40e83f73f2850c1b7c00ab4945d
SHA15c488229c34363568e52975606b4457c20d70dae
SHA25653544c962ee5e26a3bdb2fd8a59c1025e7330dabf43b2a7cc94516340aba8f28
SHA5124ecf1390054246ba493b93e4a063046934e1baa250b17c838fe9dd13443d07ecec875b0ded8b47915898d496ef0473b477eac439db3d2ada14dc01a2c8c88c3e