Analysis Overview
SHA256
5c2a86ed29bd6dd599bd6be9aaaa55a130479f5bbce253ab18bc70c3efcdedec
Threat Level: Known bad
The file 13112024_0006_12112024_számla kiegyenlítése fizetéshez 2024. november 12 xlsx.z was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook family
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 00:06
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 00:06
Reported
2024-11-13 00:11
Platform
win7-20240903-en
Max time kernel
300s
Max time network
121s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2744 set thread context of 1216 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2780 set thread context of 1216 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2648-11-0x0000000002490000-0x0000000002590000-memory.dmp
memory/2744-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2744-13-0x0000000000770000-0x0000000000A73000-memory.dmp
memory/2744-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2744-16-0x0000000000110000-0x0000000000124000-memory.dmp
memory/1216-18-0x0000000004FD0000-0x0000000005119000-memory.dmp
memory/1216-17-0x0000000003F50000-0x0000000004150000-memory.dmp
memory/2780-19-0x0000000000F20000-0x0000000000F28000-memory.dmp
memory/2780-21-0x0000000000F20000-0x0000000000F28000-memory.dmp
memory/2780-22-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/1216-23-0x0000000004FD0000-0x0000000005119000-memory.dmp
memory/1216-25-0x0000000003F50000-0x0000000004150000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 00:06
Reported
2024-11-13 00:11
Platform
win10v2004-20241007-en
Max time kernel
298s
Max time network
299s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2192 set thread context of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2208 set thread context of 3524 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2208 set thread context of 3524 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1620 set thread context of 3524 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\számla kiegyenlítése fizetéshez 2024. november 12.xlsx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2192 -ip 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 744
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.linko1win.icu | udp |
| US | 8.8.8.8:53 | www.asik-eye-surgery-63293.bond | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.uy-now-pay-later-74776.bond | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.unluoren.top | udp |
| US | 8.8.8.8:53 | www.2creativedesign.online | udp |
| US | 8.8.8.8:53 | www.itaxia.dev | udp |
| US | 8.8.8.8:53 | www.el-radu-easy4y.one | udp |
| US | 8.8.8.8:53 | www.enobscotlobster.online | udp |
| US | 8.8.8.8:53 | www.ovonordisk.online | udp |
| US | 8.8.8.8:53 | www.raquewear.shop | udp |
| US | 8.8.8.8:53 | www.tendmtedcpsa.site | udp |
| US | 8.8.8.8:53 | www.udulbet88.net | udp |
| US | 8.8.8.8:53 | www.ugeniolopez.art | udp |
Files
memory/2192-11-0x0000000004090000-0x0000000004290000-memory.dmp
memory/2208-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2208-13-0x0000000001200000-0x000000000154A000-memory.dmp
memory/2208-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2208-16-0x0000000000970000-0x0000000000984000-memory.dmp
memory/3524-17-0x00000000084B0000-0x00000000085A4000-memory.dmp
memory/3524-21-0x000000000AEB0000-0x000000000AF76000-memory.dmp
memory/2208-20-0x0000000002EC0000-0x0000000002ED4000-memory.dmp
memory/2208-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3524-22-0x00000000084B0000-0x00000000085A4000-memory.dmp
memory/1620-27-0x0000000000690000-0x00000000006A2000-memory.dmp
memory/1620-25-0x0000000000690000-0x00000000006A2000-memory.dmp
memory/1620-28-0x0000000000C70000-0x0000000000C9F000-memory.dmp
memory/1620-23-0x0000000000690000-0x00000000006A2000-memory.dmp
memory/1620-29-0x0000000002AC0000-0x0000000002E0A000-memory.dmp
memory/3524-30-0x000000000AEB0000-0x000000000AF76000-memory.dmp
memory/1620-31-0x0000000000C70000-0x0000000000C9F000-memory.dmp
memory/1620-32-0x00000000029B0000-0x0000000002A43000-memory.dmp
memory/3524-34-0x00000000097B0000-0x00000000098A0000-memory.dmp
memory/3524-36-0x00000000097B0000-0x00000000098A0000-memory.dmp
memory/3524-37-0x00000000097B0000-0x00000000098A0000-memory.dmp