Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
yeni sifariş pdf.exe
Resource
win7-20240903-en
General
-
Target
yeni sifariş pdf.exe
-
Size
610KB
-
MD5
614d0911a4db90a2ad750b5ec42640fb
-
SHA1
d33e0045ad249e4c85452ceac63c3d2bdb1d4df3
-
SHA256
5ade11c9dbb4f221d73784653c243c629ff804c6a4af5d5c8aad88d64e48a864
-
SHA512
31dcfd2d93faada4fa359f2c196a3fb7b598fb6c5d33b76595cb33146498978c8a79d73654a126c84315f1b0ba2782238d2ce2d87e0fccdb79e1770035aaadcd
-
SSDEEP
12288:qYVDa977OqHNNJMvpLP6V/DayvziAQVUg7/mo:qiaRN8LKDLbiAti
Malware Config
Extracted
formbook
4.1
kk18
ampbelltx.info
omovremont.store
haiyaoder.top
18y6s32s.top
ykbai.website
riwh.bid
iuzhou15.top
ibdobreva.art
onfitdentwithkat.net
ransitplus.biz
oymcfaddin.art
zzicasino-21.buzz
essonsandblessings.shop
antappecah001.mom
amilianm.store
ertbz.xyz
ajbke.shop
plate.online
roblemclassified.online
ewssphere.one
robuzj.property
86r5.info
itchen-design-57211.bond
dc-gmbh.net
ogel.loan
wqo.xyz
ikskp.top
nxezvnjtk.xyz
oodwar.shop
name.vip
ipcity.net
6851044.vip
ogel.kim
24kzty991r.shop
249.top
unas.shop
ental-insurance-us-631.xyz
rttherapies.art
roperty4tshwane.online
avidhost.site
dinara.best
temwork.info
arrisseedse.shop
luxfyxerflow.info
bvljoe.solutions
ennyandpearljewellery.net
hrgreret.online
67frmu442r.shop
lobelifecom.net
inetask.net
lzgwcxlgtrf.sbs
rick-mason-jobs-27365.bond
inlinwangziyi.fun
alo4d.net
ubyqtbzs7i6n.buzz
trahlkraft.pro
ophackerkampala256.store
ewdq.top
lowfy1.store
igna.store
zfah.agency
efundee.help
eddings-56794.bond
gtttttt224.top
ideosha.vip
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2248-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2248-18-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1372-24-0x0000000000C90000-0x0000000000CBE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4828 set thread context of 2248 4828 yeni sifariş pdf.exe 100 PID 2248 set thread context of 3416 2248 AddInProcess32.exe 56 PID 1372 set thread context of 3416 1372 WWAHost.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WWAHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yeni sifariş pdf.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4828 yeni sifariş pdf.exe 4828 yeni sifariş pdf.exe 4828 yeni sifariş pdf.exe 4828 yeni sifariş pdf.exe 4828 yeni sifariş pdf.exe 2248 AddInProcess32.exe 2248 AddInProcess32.exe 2248 AddInProcess32.exe 2248 AddInProcess32.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe 1372 WWAHost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2248 AddInProcess32.exe 2248 AddInProcess32.exe 2248 AddInProcess32.exe 1372 WWAHost.exe 1372 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4828 yeni sifariş pdf.exe Token: SeDebugPrivilege 2248 AddInProcess32.exe Token: SeDebugPrivilege 1372 WWAHost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3416 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 3500 4828 yeni sifariş pdf.exe 99 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 4828 wrote to memory of 2248 4828 yeni sifariş pdf.exe 100 PID 3416 wrote to memory of 1372 3416 Explorer.EXE 109 PID 3416 wrote to memory of 1372 3416 Explorer.EXE 109 PID 3416 wrote to memory of 1372 3416 Explorer.EXE 109 PID 1372 wrote to memory of 4668 1372 WWAHost.exe 110 PID 1372 wrote to memory of 4668 1372 WWAHost.exe 110 PID 1372 wrote to memory of 4668 1372 WWAHost.exe 110
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\yeni sifariş pdf.exe"C:\Users\Admin\AppData\Local\Temp\yeni sifariş pdf.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:3500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4668
-
-