Overview
overview
10Static
static
8Order.exe
windows7-x64
5Order.exe
windows10-2004-x64
5төлем...DF.exe
windows7-x64
10төлем...DF.exe
windows10-2004-x64
1087597.exe
windows7-x64
1087597.exe
windows10-2004-x64
1029146c1ccd...70.exe
windows7-x64
729146c1ccd...70.exe
windows10-2004-x64
72cc3b42957...8e.exe
windows7-x64
102cc3b42957...8e.exe
windows10-2004-x64
10RICHIESTA ...TA.exe
windows7-x64
10RICHIESTA ...TA.exe
windows10-2004-x64
1039c1e12e0a...25c.js
windows7-x64
339c1e12e0a...25c.js
windows10-2004-x64
33f46e10e5f...3b.exe
windows7-x64
103f46e10e5f...3b.exe
windows10-2004-x64
1053074094ad...95dbec
debian-12-mipsel
10632cfc71bd...b1.doc
windows7-x64
10632cfc71bd...b1.doc
windows10-2004-x64
10685dce7a17...03.exe
windows7-x64
10685dce7a17...03.exe
windows10-2004-x64
106c4aab4c3b...e2.exe
windows7-x64
106c4aab4c3b...e2.exe
windows10-2004-x64
1073a52a4c60...c0.exe
windows7-x64
373a52a4c60...c0.exe
windows10-2004-x64
3Inv_7623980.exe
windows7-x64
10Inv_7623980.exe
windows10-2004-x64
108954739d96...a8.ps1
windows7-x64
38954739d96...a8.ps1
windows10-2004-x64
8USD $.exe
windows7-x64
10USD $.exe
windows10-2004-x64
1091d079d937...b9.exe
windows7-x64
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 12:40
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
төлем туралы есеп#454326_PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
төлем туралы есеп#454326_PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
87597.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
87597.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
RICHIESTA DI OFFERTA.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
RICHIESTA DI OFFERTA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral18
Sample
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win7-20240729-en
Behavioral task
behavioral23
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
Inv_7623980.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
Inv_7623980.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
USD $.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
USD $.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win7-20240903-en
General
-
Target
төлем туралы есеп#454326_PDF.exe
-
Size
899KB
-
MD5
8ffb5b1aba6759d623f20a9744de4dd0
-
SHA1
969a580a9e874f8e5a38d7fb4db664be1aa35ce5
-
SHA256
8674688f673421c41dd39734f690c3b1b0aa8aceb5adeb057cf8b21d8f2e41a6
-
SHA512
3713871db07036eca5846ca681432e63dbf1951a47186c1f8458a3395da57b53ab796f5b44025bb277cb6f281fecf401d090bc8618fa72b9ea20fce8991a538c
-
SSDEEP
12288:PNVCqo8zTyvUIZbVlBPI2VBPpZ9SgkVJNoH6tm8EblyuVYvv/zzbVgnQe:0vDBlBPIOBPHsl7Q6tm7blmv/nbO
Malware Config
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
buyonlinesaree.com
percyshandman.site
hatchethangout.com
rugpat.com
zen-gizmo.com
vipmomali.com
lacerasavall.cat
aqueouso.com
mkolgems.com
sevenhundredseventysix.fund
fotografhannaneret.com
mitravy.com
bmtrans.net
linterpreting.com
izquay.com
sawaturkey.com
marche-maman.com
eemygf.com
animenovel.com
travelssimply.com
montecitobutterfly.com
volebahis.com
daniela.red
ramseyedk12.com
leyterealestate.info
patriotstrong.net
vkgcrew.com
nadhiradeebaazkiya.online
hotelcarre.com
myfabulouscollection.com
stellantis-luxury-rent.com
hn2020.xyz
emilyscopes.com
lotosouq.com
lovecord.date
stconstant.online
volkite-culverin.net
allwaysautism.com
sheisnatashasimone.com
sepantaceram.com
ishopgrady.com
lifestorycard.com
sexybbwavailable.website
domainbaycapital.com
constructioncleanup.pro
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral3/memory/1880-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral3/memory/1880-21-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral3/memory/1880-25-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1580 set thread context of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1880 set thread context of 1152 1880 RegSvcs.exe 20 PID 1880 set thread context of 1152 1880 RegSvcs.exe 20 PID 2576 set thread context of 1152 2576 wininit.exe 20 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language төлем туралы есеп#454326_PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1580 төлем туралы есеп#454326_PDF.exe 1880 RegSvcs.exe 1880 RegSvcs.exe 1880 RegSvcs.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe 2576 wininit.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1880 RegSvcs.exe 1880 RegSvcs.exe 1880 RegSvcs.exe 1880 RegSvcs.exe 2576 wininit.exe 2576 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1580 төлем туралы есеп#454326_PDF.exe Token: SeDebugPrivilege 1880 RegSvcs.exe Token: SeDebugPrivilege 2576 wininit.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2176 1580 төлем туралы есеп#454326_PDF.exe 30 PID 1580 wrote to memory of 2176 1580 төлем туралы есеп#454326_PDF.exe 30 PID 1580 wrote to memory of 2176 1580 төлем туралы есеп#454326_PDF.exe 30 PID 1580 wrote to memory of 2176 1580 төлем туралы есеп#454326_PDF.exe 30 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1580 wrote to memory of 1880 1580 төлем туралы есеп#454326_PDF.exe 32 PID 1152 wrote to memory of 2576 1152 Explorer.EXE 33 PID 1152 wrote to memory of 2576 1152 Explorer.EXE 33 PID 1152 wrote to memory of 2576 1152 Explorer.EXE 33 PID 1152 wrote to memory of 2576 1152 Explorer.EXE 33 PID 2576 wrote to memory of 2348 2576 wininit.exe 34 PID 2576 wrote to memory of 2348 2576 wininit.exe 34 PID 2576 wrote to memory of 2348 2576 wininit.exe 34 PID 2576 wrote to memory of 2348 2576 wininit.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe"C:\Users\Admin\AppData\Local\Temp\төлем туралы есеп#454326_PDF.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tUlSEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD98D.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ba6b00c08a88f2f37216063b91ca0ab
SHA1275e65deee211a1aa48ee4c04c7baeecfd8122fe
SHA25627fefe95d6d138a91dfcce76b9c80a774bc81cfd5c0c9e332adac7a6df1e71ca
SHA512dcefc7b26a91f5ba46bb15702e49eda68a70f81ec806ec5db8aad9a21c6aa1f4ace611828171f8e35be9b7d2e0eee6b049b04e25239aea4416da3b7137aa8cfa