Malware Analysis Report

2024-12-06 03:04

Sample ID 241121-yvb7da1jdp
Target 13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9
SHA256 13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9
Tags
discovery redline sectoprat chinchong evasion execution infostealer persistence rat trojan guloader downloader formbook m0r9 spyware stealer xloader nd04 loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9

Threat Level: Known bad

The file 13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9 was found to be: Known bad.

Malicious Activity Summary

discovery redline sectoprat chinchong evasion execution infostealer persistence rat trojan guloader downloader formbook m0r9 spyware stealer xloader nd04 loader

SectopRAT payload

Guloader family

RedLine payload

Formbook family

SectopRAT

RedLine

Xloader family

Guloader,Cloudeye

Sectoprat family

Xloader

Redline family

Windows security bypass

Formbook

Xloader payload

Formbook payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Windows security modification

Deletes itself

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Office loads VBA resources, possible macro or embedded object present

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Launches Equation Editor

Uses Volume Shadow Copy WMI provider

Gathers network information

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 20:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240708-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\Pagamento.xlsx

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\Pagamento.xlsx

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Network

Country Destination Domain Proto
NL 2.58.149.219:80 tcp

Files

memory/2644-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2644-1-0x000000007234D000-0x0000000072358000-memory.dmp

memory/2644-2-0x000000007234D000-0x0000000072358000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\Pagamento.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\Pagamento.xlsx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 198.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3928-0-0x00007FF9B9930000-0x00007FF9B9940000-memory.dmp

memory/3928-2-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-1-0x00007FF9F994D000-0x00007FF9F994E000-memory.dmp

memory/3928-6-0x00007FF9B9930000-0x00007FF9B9940000-memory.dmp

memory/3928-7-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-5-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-4-0x00007FF9B9930000-0x00007FF9B9940000-memory.dmp

memory/3928-9-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-8-0x00007FF9B9930000-0x00007FF9B9940000-memory.dmp

memory/3928-13-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-14-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-15-0x00007FF9B77F0000-0x00007FF9B7800000-memory.dmp

memory/3928-16-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-17-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-12-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-18-0x00007FF9B77F0000-0x00007FF9B7800000-memory.dmp

memory/3928-11-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-10-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-3-0x00007FF9B9930000-0x00007FF9B9940000-memory.dmp

memory/3928-33-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

memory/3928-34-0x00007FF9F994D000-0x00007FF9F994E000-memory.dmp

memory/3928-35-0x00007FF9F98B0000-0x00007FF9F9AA5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 a39831091135c657d097c119aa332f43
SHA1 b7cb7be6524d14fd4d5555029eafabeedccfc079
SHA256 f58469668f577cdda100db90689baf6c9014b332978cd3d377b25f0619a1a070
SHA512 9987030f60d73ddc82f202ec954787bd9648edef93883e9f8e42f83f1a5b1a93ba163f783f9971c1b8d817f27b052787b5d17e44ab5a42562b6737a78122f28d

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IoC\SHIPPING DOCUMENTS.rtf"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IoC\SHIPPING DOCUMENTS.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
NL 2.58.149.41:80 tcp
NL 2.58.149.41:80 tcp

Files

memory/1812-0-0x000000002F7F1000-0x000000002F7F2000-memory.dmp

memory/1812-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1812-2-0x00000000716BD000-0x00000000716C8000-memory.dmp

memory/1812-4-0x00000000716BD000-0x00000000716C8000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2348 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2348 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Windows\SysWOW64\WerFault.exe
PID 2348 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

"C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 232

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gocbcx.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

"C:\Users\Admin\AppData\Local\Temp\gocbcx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 432

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 220.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240729-en

Max time kernel

61s

Max time network

26s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\PO.xlsx

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\PO.xlsx

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Network

Country Destination Domain Proto
NL 2.58.149.219:80 tcp

Files

memory/1824-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1824-1-0x0000000073D7D000-0x0000000073D88000-memory.dmp

memory/1824-2-0x0000000073D7D000-0x0000000073D88000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe

"C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 624

Network

N/A

Files

memory/1840-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/1840-1-0x00000000010D0000-0x00000000011BE000-memory.dmp

memory/1840-2-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/1840-3-0x0000000074450000-0x0000000074B3E000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\WFOxUyWbXoPQU\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe = "0" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe = "0" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\WFOxUyWbXoPQU\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tQzKc5fBQfkJE = "C:\\Program Files\\Common Files\\System\\WFOxUyWbXoPQU\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tQzKc5fBQfkJE = "C:\\Program Files\\Common Files\\System\\WFOxUyWbXoPQU\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 528 set thread context of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\WFOxUyWbXoPQU\svchost.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
File opened for modification C:\Program Files\Common Files\System\WFOxUyWbXoPQU C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe
PID 528 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe

"C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\WFOxUyWbXoPQU\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\WFOxUyWbXoPQU\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe" -Force

C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe

"C:\Users\Admin\AppData\Local\Temp\PO_2022-04-33981.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 23.94.54.224:6325 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 23.94.54.224:6325 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 23.94.54.224:6325 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 23.94.54.224:6325 tcp
US 23.94.54.224:6325 tcp
US 23.94.54.224:6325 tcp

Files

memory/528-0-0x000000007537E000-0x000000007537F000-memory.dmp

memory/528-1-0x0000000000C50000-0x0000000000D3E000-memory.dmp

memory/528-2-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/528-3-0x0000000005600000-0x000000000569C000-memory.dmp

memory/528-4-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/528-5-0x00000000055A0000-0x00000000055AA000-memory.dmp

memory/528-6-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/528-7-0x00000000058E0000-0x0000000005986000-memory.dmp

memory/528-8-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/528-9-0x00000000055C0000-0x00000000055D6000-memory.dmp

memory/4876-12-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2348-11-0x0000000002AE0000-0x0000000002B16000-memory.dmp

memory/2348-14-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/32-15-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4876-13-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/2348-16-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4876-17-0x0000000005140000-0x0000000005162000-memory.dmp

memory/4876-29-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecyymgxq.4cb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4876-19-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/4876-18-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/4876-30-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/4924-31-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4876-42-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/32-44-0x0000000004F60000-0x0000000004F9C000-memory.dmp

memory/2348-45-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/32-43-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/32-32-0x00000000054A0000-0x0000000005AB8000-memory.dmp

memory/4924-46-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4924-57-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/32-56-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

memory/4876-58-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/32-59-0x0000000005200000-0x000000000530A000-memory.dmp

memory/2348-72-0x0000000006A60000-0x0000000006A7E000-memory.dmp

memory/2348-61-0x00000000705B0000-0x00000000705FC000-memory.dmp

memory/2348-78-0x0000000007680000-0x0000000007723000-memory.dmp

memory/2348-60-0x0000000007430000-0x0000000007462000-memory.dmp

memory/4876-71-0x00000000705B0000-0x00000000705FC000-memory.dmp

memory/528-84-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4876-86-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4876-85-0x0000000007950000-0x0000000007FCA000-memory.dmp

memory/4924-87-0x00000000705B0000-0x00000000705FC000-memory.dmp

memory/4876-97-0x0000000007370000-0x000000000737A000-memory.dmp

memory/4876-98-0x0000000007580000-0x0000000007616000-memory.dmp

memory/4876-99-0x0000000007500000-0x0000000007511000-memory.dmp

memory/2348-100-0x00000000079E0000-0x00000000079EE000-memory.dmp

memory/4876-101-0x0000000007540000-0x0000000007554000-memory.dmp

memory/4876-103-0x0000000007620000-0x0000000007628000-memory.dmp

memory/4876-102-0x0000000007640000-0x000000000765A000-memory.dmp

memory/2348-109-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4876-110-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cc6b342dca61fc5f489886c676e9e76c
SHA1 f47d72a55c4997ca65fee94cde4e82da56de44ea
SHA256 d765bd4439ad84cb547fde618ab3476811b04600c8085e55dfc57c8ae63f61e0
SHA512 2094c48ba4c004c6fcfee0b2165f7f06acc5bd21eeac6798066d896f2a339e83604d2f419875728fdc8fbef8b8dc57280aa3df9c414c709c21fce0701642dba3

memory/4924-113-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d9a79cf73dd51c0d3f3e728ed815f28
SHA1 0dbac3d010e3800a35c5db1611328bfe1c8c0baa
SHA256 51430b1ccfe18e6ae37caac93692333273e87bfcaf1d653b22884f16bb7f864f
SHA512 f6873dacde40cec469aac496a6d568b9d46078ab5167691979c9744fdf790758dfe3c2c4020a552f5bbd6abe0b50c18b065a9354697240882100e23ff4c4f0a8

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe

"C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 223.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq88F8.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/3004-14-0x0000000004A00000-0x0000000004B00000-memory.dmp

memory/3004-15-0x0000000004A00000-0x0000000004B00000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

146s

Max time network

137s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 772 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 2544 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Windows\Explorer.EXE
PID 2264 set thread context of 1200 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chkdsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\chkdsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\chkdsk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 3044 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 3044 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 3044 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 772 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe
PID 1200 wrote to memory of 2264 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 2264 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 2264 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 2264 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\yqmxitinks

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\yqmxitinks

C:\Windows\SysWOW64\chkdsk.exe

"C:\Windows\SysWOW64\chkdsk.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.voyagewithscottmonty.com udp
US 8.8.8.8:53 www.drillernewsupdate.com udp
US 3.33.130.190:80 www.drillernewsupdate.com tcp
US 8.8.8.8:53 www.marysaysmeh.com udp
US 192.0.78.25:80 www.marysaysmeh.com tcp
US 8.8.8.8:53 www.suculentaycactaceo3d.com udp
US 8.8.8.8:53 www.digitalprojects.site udp
US 8.8.8.8:53 www.croninstarlight.com udp

Files

\Users\Admin\AppData\Local\Temp\qfmjhb.exe

MD5 d93c0902c13f3f17012c2778fd24b009
SHA1 7ad3d53210ce587d2195545115c9086457a14623
SHA256 0487ed5d2a046ee552e410b5c9b3cf27eb0c3b369fecff3132c58e57eb1c0ad8
SHA512 4cb2d5beb7ed5532819bd96c92000c9e12f145d37cdd2ad4dec3f67ce74107c4a00fb850700015168ef6c2620277c237de3a2c279a99150ed46a3d0b5905fc3a

C:\Users\Admin\AppData\Local\Temp\yqmxitinks

MD5 7c7487f9e5f0a2b42c974896825d06e5
SHA1 d29382ebaae67bf9de891ad00adb795963ef8967
SHA256 dd31e7b319d3acfe238866035e0dfe514fc55efe7343e1e13421dd32d20b8f80
SHA512 913039ce08f36b0664657bcf70b77238656810e96154f890f42daeff7b60cc304751a457b98cf2adacbe701eee27e358487a7be6c4d723c7e39d51bc43fdae9f

memory/772-12-0x00000000002E0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ncbe92xxyz7k26e4s88j

MD5 d55278f3c9ddd6df247d043d0f4d334e
SHA1 2aa2b417aa8897935f5cc77ab8a7617ef8d75861
SHA256 d9f4d5de73452115d9acdccda02398bc5c5a2b4b99d6dc5d8feea4584856cf53
SHA512 1bf4175795d93a4d0c6dc7a7acefb15204558087d9f918ddb3de2caaf2d67fd63785bee2f7a6f3aafa025f7ccafeb4043403dc18728633fd1abab27b6820e732

memory/2544-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2544-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1200-19-0x0000000005050000-0x0000000005114000-memory.dmp

memory/2264-22-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2264-23-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2264-24-0x0000000000110000-0x000000000013F000-memory.dmp

memory/1200-25-0x0000000005050000-0x0000000005114000-memory.dmp

memory/1200-30-0x0000000006890000-0x00000000069FF000-memory.dmp

memory/1200-31-0x0000000006890000-0x00000000069FF000-memory.dmp

memory/1200-33-0x0000000006890000-0x00000000069FF000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

147s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2536 set thread context of 1148 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\Explorer.EXE
PID 2536 set thread context of 1148 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\Explorer.EXE
PID 2296 set thread context of 1148 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\help.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 2084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe
PID 1148 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1148 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1148 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1148 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2296 wrote to memory of 2980 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2980 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2980 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2980 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\gocbcx.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

MD5 6c310e309e2ddfe8ae53e95c525c9e52
SHA1 694861bf8fbddafc5673853c8f7c910a2b60a1b7
SHA256 ffef20b2c9b8d9cdd4f471718ef688a8bd4834b6481978574b877ab14a91228d
SHA512 8030a4b7d8d225699d4c9d71cf015dbb90895266e9006c5fee1ba9ce56ac871f1f9477ee4ccf6c62109ef23f0321d9590a3b286156d5b57e30bbe2f9d302a931

C:\Users\Admin\AppData\Local\Temp\ncssrlmzyd

MD5 02475297a79138c050381b19f13cbb88
SHA1 efeb9032605484fdea6478b224afe59af46f29a3
SHA256 a3439fba9220dbfe1fb05f3dfa24aab3e7f72071ff1f16bae20fd58c227e4b7a
SHA512 35e9e844e33c1ac1ad3ce9e035ba2ff6302e84941bcd300011c758fa6eb917292a2db480a3d1592e6a275b84621708b08109579599781c2fd28fdba8f7e25d55

memory/2084-11-0x0000000000220000-0x0000000000222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rnukeqm

MD5 8d73805cc88e7c5fb975ea51d44509c0
SHA1 7b3615aeb8d8a6a049dd59d2c6883c2d60c689b8
SHA256 83bd692b6115ceeb84745dac471dc333377ce29178894d0493e0d2a6acd975b4
SHA512 e50598247e565bb3d509189c107f288ee07d163913d38a2e9ebf2f5bdaed969c49c027c96e0afab8a00cefc2c4cf4e712d99b853a2b3af36694ff1784b75dff3

memory/2536-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2536-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1148-19-0x0000000004470000-0x0000000004571000-memory.dmp

memory/2536-21-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1148-22-0x0000000004470000-0x0000000004571000-memory.dmp

memory/1148-23-0x00000000051A0000-0x000000000527E000-memory.dmp

memory/2296-27-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

memory/2296-26-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

memory/2296-28-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1148-29-0x00000000051A0000-0x000000000527E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\MIL0000640730.xlsm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IoC\MIL0000640730.xlsm

Network

N/A

Files

memory/2812-6-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2812-5-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2812-3-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2812-4-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2812-2-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2812-1-0x0000000072B1D000-0x0000000072B28000-memory.dmp

memory/2812-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2812-7-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\MIL0000640730.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\MIL0000640730.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 198.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3756-0-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

memory/3756-4-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

memory/3756-3-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

memory/3756-2-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

memory/3756-1-0x00007FF8F9F2D000-0x00007FF8F9F2E000-memory.dmp

memory/3756-9-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-10-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-13-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-12-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-14-0x00007FF8B7790000-0x00007FF8B77A0000-memory.dmp

memory/3756-11-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-8-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-17-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-16-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-15-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-7-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-6-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-5-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

memory/3756-18-0x00007FF8B7790000-0x00007FF8B77A0000-memory.dmp

memory/3756-35-0x00007FF8F9F2D000-0x00007FF8F9F2E000-memory.dmp

memory/3756-36-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

memory/3756-37-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 41d1444465fe561dc24ac016a3b47dd6
SHA1 5402ca2e645d8f4fe3da306e691bf66bd73184b3
SHA256 d64df0c418e394e4f9ff1dd9fa3ed3408151f0ab40fb397c09193926062f7e53
SHA512 bd7f7143638227998c91b3120ab73a2e3d31c27d95392f5e5fa3519f6595915b8844619d19f7f441e9152a409e55921d828a88c4c9514c6c568142050725403a

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IoC\SHIPPING DOCUMENTS.rtf" /o ""

Signatures

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IoC\SHIPPING DOCUMENTS.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
IT 173.222.105.64:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 64.105.222.173.in-addr.arpa udp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
IT 23.41.187.26:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 26.187.41.23.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3040-0-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3040-4-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3040-3-0x00007FFC36A2D000-0x00007FFC36A2E000-memory.dmp

memory/3040-2-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3040-8-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-9-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-7-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-6-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-5-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3040-11-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-13-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-16-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-20-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-19-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-18-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp

memory/3040-17-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-15-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-14-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-12-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3040-10-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp

memory/3040-1-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3040-40-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 42b3c41d8eaa4d2c40c089d84f49e6b3
SHA1 18e6d2fdc213f0227c56824d6877abc3554baedb
SHA256 7eaeacb88d510fdfb526367d458ed2c85e2b3f389320febcf8844a72dc15e584
SHA512 7aef237ffb089d1594c1f08a575d50fb30dd5858883c99e88744ddbd3b975fab053b97783866e217f4a6f828d531de3aa2b2a97199e63d21015c92f26cf6f530

C:\Users\Admin\AppData\Local\Temp\TCDCC48.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe

"C:\Users\Admin\AppData\Local\Temp\SMK_29082022.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoE246.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2016-15-0x0000000002B30000-0x0000000002C30000-memory.dmp

memory/2016-16-0x0000000002B30000-0x0000000002C30000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

149s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2524 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Windows\Explorer.EXE
PID 2900 set thread context of 1208 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\colorcpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2060 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 1208 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1208 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1208 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1208 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 2900 wrote to memory of 2572 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2572 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2572 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2572 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\19979.exe

"C:\Users\Admin\AppData\Local\Temp\19979.exe"

C:\Users\Admin\AppData\Local\Temp\19979.exe

"C:\Users\Admin\AppData\Local\Temp\19979.exe"

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\19979.exe"

Network

N/A

Files

memory/2060-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/2060-1-0x0000000000CF0000-0x0000000000D94000-memory.dmp

memory/2060-2-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2060-3-0x0000000000780000-0x000000000078A000-memory.dmp

memory/2060-4-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/2060-5-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2060-6-0x0000000004CB0000-0x0000000004D22000-memory.dmp

memory/2060-7-0x0000000004840000-0x0000000004870000-memory.dmp

memory/2524-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2524-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2524-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2524-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2060-15-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/2524-16-0x0000000000930000-0x0000000000C33000-memory.dmp

memory/2524-19-0x0000000000270000-0x0000000000281000-memory.dmp

memory/2524-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1208-21-0x0000000005090000-0x000000000515B000-memory.dmp

memory/2900-22-0x0000000000650000-0x0000000000668000-memory.dmp

memory/2900-23-0x0000000000650000-0x0000000000668000-memory.dmp

memory/2900-24-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/1208-25-0x0000000005090000-0x000000000515B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4204 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Users\Admin\AppData\Local\Temp\19979.exe
PID 2360 set thread context of 3444 N/A C:\Users\Admin\AppData\Local\Temp\19979.exe C:\Windows\Explorer.EXE
PID 5080 set thread context of 3444 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19979.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\19979.exe

"C:\Users\Admin\AppData\Local\Temp\19979.exe"

C:\Users\Admin\AppData\Local\Temp\19979.exe

"C:\Users\Admin\AppData\Local\Temp\19979.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\SysWOW64\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\19979.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 223.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 www.cochildprotect.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.beaconhillchurchseattle.com udp
US 3.33.130.190:80 www.beaconhillchurchseattle.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.piao168888888.com udp
US 8.8.8.8:53 www.thanosstudio.com udp
US 34.149.36.179:80 www.thanosstudio.com tcp
US 8.8.8.8:53 179.36.149.34.in-addr.arpa udp
US 8.8.8.8:53 www.spacdesignerhomes.online udp
US 8.8.8.8:53 www.top10vps.xyz udp
US 8.8.8.8:53 www.exeterloftrefurbishments.com udp
US 8.8.8.8:53 www.huibao5.com udp
US 8.8.8.8:53 www.ryaneardley.com udp
CA 64.34.50.48:80 www.ryaneardley.com tcp
US 8.8.8.8:53 48.50.34.64.in-addr.arpa udp
US 8.8.8.8:53 www.rollingstrollers.com udp
US 8.8.8.8:53 www.picsedits.com udp
US 8.8.8.8:53 www.helloboy.xyz udp

Files

memory/4204-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4204-1-0x0000000000AC0000-0x0000000000B64000-memory.dmp

memory/4204-2-0x0000000005A80000-0x0000000006024000-memory.dmp

memory/4204-3-0x0000000005570000-0x0000000005602000-memory.dmp

memory/4204-4-0x0000000005610000-0x00000000056AC000-memory.dmp

memory/4204-5-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4204-6-0x0000000005550000-0x000000000555A000-memory.dmp

memory/4204-7-0x0000000005930000-0x000000000593A000-memory.dmp

memory/4204-8-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4204-9-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4204-10-0x0000000007080000-0x00000000070F2000-memory.dmp

memory/4204-11-0x00000000072A0000-0x0000000007306000-memory.dmp

memory/4204-12-0x0000000007230000-0x0000000007260000-memory.dmp

memory/2360-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4204-15-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/2360-16-0x0000000001390000-0x00000000016DA000-memory.dmp

memory/2360-19-0x0000000001320000-0x0000000001331000-memory.dmp

memory/3444-20-0x0000000008ED0000-0x0000000009068000-memory.dmp

memory/2360-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5080-21-0x0000000000540000-0x000000000054B000-memory.dmp

memory/5080-22-0x0000000000540000-0x000000000054B000-memory.dmp

memory/5080-23-0x0000000000D70000-0x0000000000D99000-memory.dmp

memory/3444-24-0x0000000008ED0000-0x0000000009068000-memory.dmp

memory/3444-28-0x0000000009070000-0x00000000091F4000-memory.dmp

memory/3444-29-0x0000000009070000-0x00000000091F4000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Factura_855.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\yqmxitinks

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe C:\Users\Admin\AppData\Local\Temp\yqmxitinks

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 808 -ip 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 584

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

MD5 d93c0902c13f3f17012c2778fd24b009
SHA1 7ad3d53210ce587d2195545115c9086457a14623
SHA256 0487ed5d2a046ee552e410b5c9b3cf27eb0c3b369fecff3132c58e57eb1c0ad8
SHA512 4cb2d5beb7ed5532819bd96c92000c9e12f145d37cdd2ad4dec3f67ce74107c4a00fb850700015168ef6c2620277c237de3a2c279a99150ed46a3d0b5905fc3a

C:\Users\Admin\AppData\Local\Temp\yqmxitinks

MD5 7c7487f9e5f0a2b42c974896825d06e5
SHA1 d29382ebaae67bf9de891ad00adb795963ef8967
SHA256 dd31e7b319d3acfe238866035e0dfe514fc55efe7343e1e13421dd32d20b8f80
SHA512 913039ce08f36b0664657bcf70b77238656810e96154f890f42daeff7b60cc304751a457b98cf2adacbe701eee27e358487a7be6c4d723c7e39d51bc43fdae9f

C:\Users\Admin\AppData\Local\Temp\ncbe92xxyz7k26e4s88j

MD5 d55278f3c9ddd6df247d043d0f4d334e
SHA1 2aa2b417aa8897935f5cc77ab8a7617ef8d75861
SHA256 d9f4d5de73452115d9acdccda02398bc5c5a2b4b99d6dc5d8feea4584856cf53
SHA512 1bf4175795d93a4d0c6dc7a7acefb15204558087d9f918ddb3de2caaf2d67fd63785bee2f7a6f3aafa025f7ccafeb4043403dc18728633fd1abab27b6820e732

memory/808-8-0x0000000002020000-0x0000000002022000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe

"C:\Users\Admin\AppData\Local\Temp\qfmjhb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 223.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Fattura_855.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Users\Admin\AppData\Local\Temp\rnukeqm

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1352 -ip 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 492

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

MD5 6c310e309e2ddfe8ae53e95c525c9e52
SHA1 694861bf8fbddafc5673853c8f7c910a2b60a1b7
SHA256 ffef20b2c9b8d9cdd4f471718ef688a8bd4834b6481978574b877ab14a91228d
SHA512 8030a4b7d8d225699d4c9d71cf015dbb90895266e9006c5fee1ba9ce56ac871f1f9477ee4ccf6c62109ef23f0321d9590a3b286156d5b57e30bbe2f9d302a931

C:\Users\Admin\AppData\Local\Temp\ncssrlmzyd

MD5 02475297a79138c050381b19f13cbb88
SHA1 efeb9032605484fdea6478b224afe59af46f29a3
SHA256 a3439fba9220dbfe1fb05f3dfa24aab3e7f72071ff1f16bae20fd58c227e4b7a
SHA512 35e9e844e33c1ac1ad3ce9e035ba2ff6302e84941bcd300011c758fa6eb917292a2db480a3d1592e6a275b84621708b08109579599781c2fd28fdba8f7e25d55

C:\Users\Admin\AppData\Local\Temp\rnukeqm

MD5 8d73805cc88e7c5fb975ea51d44509c0
SHA1 7b3615aeb8d8a6a049dd59d2c6883c2d60c689b8
SHA256 83bd692b6115ceeb84745dac471dc333377ce29178894d0493e0d2a6acd975b4
SHA512 e50598247e565bb3d509189c107f288ee07d163913d38a2e9ebf2f5bdaed969c49c027c96e0afab8a00cefc2c4cf4e712d99b853a2b3af36694ff1784b75dff3

memory/1352-8-0x00000000005C0000-0x00000000005C2000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gocbcx.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gocbcx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 1928 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 1928 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\SysWOW64\WerFault.exe
PID 1928 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\gocbcx.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gocbcx.exe

"C:\Users\Admin\AppData\Local\Temp\gocbcx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 136

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\PO.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\IoC\PO.xlsx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.181.100.95.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2124-0-0x00007FFD784F0000-0x00007FFD78500000-memory.dmp

memory/2124-1-0x00007FFDB850D000-0x00007FFDB850E000-memory.dmp

memory/2124-3-0x00007FFD784F0000-0x00007FFD78500000-memory.dmp

memory/2124-4-0x00007FFD784F0000-0x00007FFD78500000-memory.dmp

memory/2124-2-0x00007FFD784F0000-0x00007FFD78500000-memory.dmp

memory/2124-8-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-7-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-9-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-10-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-11-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-12-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-15-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-14-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-13-0x00007FFD76230000-0x00007FFD76240000-memory.dmp

memory/2124-6-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-16-0x00007FFD76230000-0x00007FFD76240000-memory.dmp

memory/2124-5-0x00007FFD784F0000-0x00007FFD78500000-memory.dmp

memory/2124-34-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

memory/2124-35-0x00007FFDB850D000-0x00007FFDB850E000-memory.dmp

memory/2124-36-0x00007FFDB8470000-0x00007FFDB8665000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-21 20:05

Reported

2024-11-21 20:08

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 220

Network

N/A

Files

N/A