Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
ახალი შესყიდვის შეკვეთა pdf.exe
Resource
win7-20231020-en
General
-
Target
ახალი შესყიდვის შეკვეთა pdf.exe
-
Size
658KB
-
MD5
f891581195d4a3eb2b70d8dd5b7e2fa7
-
SHA1
ce7058980b99c9c53ef77361e27848a2c31901cf
-
SHA256
ec631a873ad900f187bc34ba3d92c950ac3d20949147104414e03096a703cc64
-
SHA512
f9791f466a1434ac754117e9bf46a22c6b2dd541fcd8bacce331184fa12886114915978f2c8a8eb3ca18a0a1273a334b975af01c9be0e7f1632c4d08ed6c7f7d
-
SSDEEP
12288:3MgFWMjgR/mZRM+ByVw9yFgbuFZMlfJJT4nhLqOxLSRPQ12WAGTeoWIGmpqNN:jjgkZR5YbOwZMtLchWOxLSRPQDHTDxu/
Malware Config
Extracted
formbook
4.1
g11y
bayivip.top
lunarrhythmsliving.com
elizabethanbello.art
plushkitchen.com
timedb.net
exploringaging.com
dreamoney.online
luvisusllc.com
strikemedialabs.com
belvederesportsclub.com
turteen.com
theofficialtrumpcards.com
x-y-z.online
otuvu.com
outhandsbpm.com
scabiosa.top
99job.store
afcxz80whz.com
mysrz3l47.top
sarekaonsaddle.com
tnzdistribution.com
paradymgym.com
ryhqd2ai.store
fre.bar
amiran.site
adventurehartford.com
elysiummania.com
aedpzjqe.click
cdgstreets.com
ipstbjj.com
gaoxiba108.com
sheildlawgroup.com
usetempest.com
coopine43.com
cloudstar.site
txa2qqt43.top
uniprocto-new.com
mccsa.cyou
flextroncis.com
polskiradio.com
faircipher.dev
reports-revolutionofbeing.com
lnmppowf.click
uyjhh.homes
buyxituo.com
joangreenedesign.com
stiffclick.com
home-box.xyz
missioncommunitychurchal.com
ewi854.com
audiimax.com
cyberplume.net
brezip.online
coronassteel.com
fxreb.store
babyshowerco.com
ovelglove.site
shoplocallytoday.com
consumer-res.com
empowerhergirlies.life
qcjunk.com
urupum.site
latidofeliz.site
63884.vip
cinelinz.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/2388-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2388-41-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2112-70-0x0000000000A90000-0x0000000000ABF000-memory.dmp formbook behavioral2/memory/2112-81-0x0000000000A90000-0x0000000000ABF000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation ახალი შესყიდვის შეკვეთა pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4532 set thread context of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 2388 set thread context of 3228 2388 RegSvcs.exe 61 PID 2112 set thread context of 3228 2112 svchost.exe 61 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4532 ახალი შესყიდვის შეკვეთა pdf.exe 4532 ახალი შესყიდვის შეკვეთა pdf.exe 4452 powershell.exe 4452 powershell.exe 2388 RegSvcs.exe 2388 RegSvcs.exe 2388 RegSvcs.exe 2388 RegSvcs.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe 2112 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2388 RegSvcs.exe 2388 RegSvcs.exe 2388 RegSvcs.exe 2112 svchost.exe 2112 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4532 ახალი შესყიდვის შეკვეთა pdf.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 2388 RegSvcs.exe Token: SeDebugPrivilege 2112 svchost.exe Token: SeShutdownPrivilege 3228 Explorer.EXE Token: SeCreatePagefilePrivilege 3228 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3228 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4532 wrote to memory of 4452 4532 ახალი შესყიდვის შეკვეთა pdf.exe 93 PID 4532 wrote to memory of 4452 4532 ახალი შესყიდვის შეკვეთა pdf.exe 93 PID 4532 wrote to memory of 4452 4532 ახალი შესყიდვის შეკვეთა pdf.exe 93 PID 4532 wrote to memory of 2924 4532 ახალი შესყიდვის შეკვეთა pdf.exe 95 PID 4532 wrote to memory of 2924 4532 ახალი შესყიდვის შეკვეთა pdf.exe 95 PID 4532 wrote to memory of 2924 4532 ახალი შესყიდვის შეკვეთა pdf.exe 95 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 4532 wrote to memory of 2388 4532 ახალი შესყიდვის შეკვეთა pdf.exe 97 PID 3228 wrote to memory of 2112 3228 Explorer.EXE 98 PID 3228 wrote to memory of 2112 3228 Explorer.EXE 98 PID 3228 wrote to memory of 2112 3228 Explorer.EXE 98 PID 2112 wrote to memory of 1732 2112 svchost.exe 100 PID 2112 wrote to memory of 1732 2112 svchost.exe 100 PID 2112 wrote to memory of 1732 2112 svchost.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\idScXbUauEgmY.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\idScXbUauEgmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp174C.tmp"3⤵
- Creates scheduled task(s)
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57f803b32133a013d5421934e61d039fe
SHA18390d1a901df668a9fee0c732302c7e44f048d77
SHA2566fe3888d112736409b1ef124405c7b8461b63305680ef415bcc9b902f3e084b7
SHA51233ad560a69da6edb01e378e5cd1448ccd6303774d7b3edd53d09f89be586837e32815492ad0aa40d50f733d9c92126409fb48f2feb11ae2d08eef4cff7b34ced