Analysis Overview
SHA256
dddfb9fd01740055a5dbf0ac2be671b0cc7ea825fc4d6fb40dca5abac45a0e28
Threat Level: Known bad
The file 13112024_0009_12112024_decontare facturi pentru plata 12 noiembrie 2024 xlsx.z was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook family
Formbook payload
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 00:09
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 00:09
Reported
2024-11-13 00:14
Platform
win10v2004-20241007-en
Max time kernel
299s
Max time network
300s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 468 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2332 set thread context of 3560 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2380 set thread context of 3560 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.futurum.xyz | udp |
| US | 162.159.134.42:80 | www.futurum.xyz | tcp |
| US | 8.8.8.8:53 | 42.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.riteon.online | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.animevyhgsft29817.click | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.1130.vip | udp |
| US | 67.21.93.230:80 | www.1130.vip | tcp |
| US | 8.8.8.8:53 | 230.93.21.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.otoyama.shop | udp |
| US | 8.8.8.8:53 | www.tandkite.fun | udp |
| US | 8.8.8.8:53 | www.akrzus.pro | udp |
| US | 8.8.8.8:53 | www.cweb.cyou | udp |
| US | 8.8.8.8:53 | www.ualitystore.shop | udp |
| US | 8.8.8.8:53 | www.tendmtedcpsa.site | udp |
| US | 8.8.8.8:53 | www.p-inbox4.click | udp |
| US | 8.8.8.8:53 | www.dlpli.xyz | udp |
| US | 8.8.8.8:53 | www.ires-86307.bond | udp |
Files
memory/468-11-0x00000000041C0000-0x00000000043C0000-memory.dmp
memory/2332-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2332-13-0x0000000001900000-0x0000000001C4A000-memory.dmp
memory/2332-16-0x0000000001880000-0x0000000001894000-memory.dmp
memory/2332-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3560-17-0x00000000090F0000-0x0000000009257000-memory.dmp
memory/2380-19-0x0000000000550000-0x000000000055C000-memory.dmp
memory/2380-18-0x0000000000550000-0x000000000055C000-memory.dmp
memory/2380-20-0x0000000000180000-0x00000000001AF000-memory.dmp
memory/3560-21-0x00000000090F0000-0x0000000009257000-memory.dmp
memory/3560-25-0x000000000AFD0000-0x000000000B09D000-memory.dmp
memory/3560-26-0x000000000AFD0000-0x000000000B09D000-memory.dmp
memory/3560-28-0x000000000AFD0000-0x000000000B09D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 00:09
Reported
2024-11-13 00:14
Platform
win7-20240903-en
Max time kernel
300s
Max time network
121s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2420 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2220 set thread context of 1212 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2540 set thread context of 1212 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\decontare facturi pentru plata 12 noiembrie 2024.xlsx.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2420-11-0x00000000002C0000-0x00000000003C0000-memory.dmp
memory/2220-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2220-13-0x0000000000910000-0x0000000000C13000-memory.dmp
memory/2220-16-0x0000000000180000-0x0000000000194000-memory.dmp
memory/2220-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1212-17-0x0000000004E20000-0x0000000004F1B000-memory.dmp
memory/2540-18-0x00000000000E0000-0x00000000000FF000-memory.dmp
memory/2540-20-0x00000000000E0000-0x00000000000FF000-memory.dmp
memory/2540-21-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1212-22-0x0000000004E20000-0x0000000004F1B000-memory.dmp