Malware Analysis Report

2025-08-05 09:05

Sample ID 241230-v6yb7s1ndm
Target JaffaCakes118_1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049
SHA256 1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049
Tags
discovery formbook dxe rat spyware stealer trojan agenttesla keylogger persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049

Threat Level: Known bad

The file JaffaCakes118_1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049 was found to be: Known bad.

Malicious Activity Summary

discovery formbook dxe rat spyware stealer trojan agenttesla keylogger persistence collection credential_access

Agenttesla family

AgentTesla

Formbook

Formbook family

AgentTesla payload

Formbook payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Unsecured Credentials: Credentials In Files

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: MapViewOfSection

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe

"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe

"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 988

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp6C39.tmp\2g6ght2plrugud.dll

MD5 64ade443342d3aa3790c2846abf93959
SHA1 d6668f6881d40dc3dc3d1f627f2721e1d333e698
SHA256 ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45
SHA512 2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845

memory/3248-7-0x0000000002440000-0x0000000002442000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1712 set thread context of 4008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4008 set thread context of 3452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE
PID 1664 set thread context of 3452 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 www.enpointe.online udp
US 8.8.8.8:53 www.artinmemory.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.desyrnan.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.privat-livecam.net udp
US 8.8.8.8:53 www.philreid4cc.com udp
US 8.8.8.8:53 www.lacompagniadelfardello.com udp
DE 64.226.125.59:80 www.lacompagniadelfardello.com tcp
US 8.8.8.8:53 59.125.226.64.in-addr.arpa udp

Files

memory/1712-0-0x0000000001410000-0x0000000001412000-memory.dmp

memory/4008-1-0x0000000000270000-0x000000000029E000-memory.dmp

memory/4008-4-0x00000000024D0000-0x000000000281A000-memory.dmp

memory/4008-5-0x0000000000270000-0x000000000029E000-memory.dmp

memory/4008-6-0x00000000003E0000-0x00000000003F4000-memory.dmp

memory/3452-7-0x0000000002B60000-0x0000000002C39000-memory.dmp

memory/1664-9-0x00000000005D0000-0x00000000005F7000-memory.dmp

memory/1664-8-0x00000000005D0000-0x00000000005F7000-memory.dmp

memory/3452-10-0x0000000002B60000-0x0000000002C39000-memory.dmp

memory/3452-14-0x0000000003050000-0x000000000316F000-memory.dmp

memory/3452-15-0x0000000003050000-0x000000000316F000-memory.dmp

memory/3452-17-0x0000000003050000-0x000000000316F000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20241010-en

Max time kernel

147s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Users\Admin\AppData\Local\Temp\PO.exe
PID 2152 set thread context of 1240 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Windows\Explorer.EXE
PID 2152 set thread context of 1240 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Windows\Explorer.EXE
PID 3048 set thread context of 1240 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\PO.exe

"C:\Users\Admin\AppData\Local\Temp\PO.exe"

C:\Users\Admin\AppData\Local\Temp\PO.exe

"C:\Users\Admin\AppData\Local\Temp\PO.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nst79D3.tmp\k5ig8v1xqqd111h.dll

MD5 fe9e8afe6e228256eaf3065c403d87bb
SHA1 1d46976328242b9e4f37d994bc1f169ee1f4c112
SHA256 e2b161127954eb1373158a95ef083d1b00198fef933e9ad5a1496d82d9006b8b
SHA512 573399e2885f89f05e27de783ef286c79dab04ca4e942f62ccbbb40d61fc7ab80baa97b13948b719dcae785d5daa19e4aa23adb4922e9737e0ecbfc2a09ba4a5

memory/2128-8-0x0000000000300000-0x0000000000302000-memory.dmp

memory/2152-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2152-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1240-12-0x0000000000010000-0x0000000000020000-memory.dmp

memory/1240-13-0x0000000006AF0000-0x0000000006C57000-memory.dmp

memory/2152-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1240-16-0x0000000006980000-0x0000000006A5B000-memory.dmp

memory/1240-17-0x0000000006AF0000-0x0000000006C57000-memory.dmp

memory/3048-22-0x0000000000760000-0x0000000000768000-memory.dmp

memory/3048-21-0x0000000000760000-0x0000000000768000-memory.dmp

memory/1240-23-0x0000000006980000-0x0000000006A5B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PO.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Users\Admin\AppData\Local\Temp\PO.exe
PID 4016 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Users\Admin\AppData\Local\Temp\PO.exe
PID 4016 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\PO.exe C:\Users\Admin\AppData\Local\Temp\PO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO.exe

"C:\Users\Admin\AppData\Local\Temp\PO.exe"

C:\Users\Admin\AppData\Local\Temp\PO.exe

"C:\Users\Admin\AppData\Local\Temp\PO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 988

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb8937.tmp\k5ig8v1xqqd111h.dll

MD5 fe9e8afe6e228256eaf3065c403d87bb
SHA1 1d46976328242b9e4f37d994bc1f169ee1f4c112
SHA256 e2b161127954eb1373158a95ef083d1b00198fef933e9ad5a1496d82d9006b8b
SHA512 573399e2885f89f05e27de783ef286c79dab04ca4e942f62ccbbb40d61fc7ab80baa97b13948b719dcae785d5daa19e4aa23adb4922e9737e0ecbfc2a09ba4a5

memory/4016-7-0x0000000002330000-0x0000000002332000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3708 set thread context of 4356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4356 set thread context of 3416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE
PID 2892 set thread context of 3416 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.union-green.com udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 www.cosmicmtn.com udp
US 15.197.172.60:80 www.cosmicmtn.com tcp
US 8.8.8.8:53 60.172.197.15.in-addr.arpa udp
US 8.8.8.8:53 www.relocatingrealtor.com udp
US 34.149.87.45:80 www.relocatingrealtor.com tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.spiritsoundart.net udp
CA 23.227.38.74:80 www.spiritsoundart.net tcp
US 8.8.8.8:53 74.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 www.rokitreach.com udp
US 15.197.148.33:80 www.rokitreach.com tcp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp

Files

memory/3708-0-0x0000000002CF0000-0x0000000002CF2000-memory.dmp

memory/4356-1-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4356-2-0x0000000002CF0000-0x000000000303A000-memory.dmp

memory/4356-5-0x0000000002BB0000-0x0000000002BC4000-memory.dmp

memory/4356-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3416-6-0x0000000008E70000-0x0000000008FFD000-memory.dmp

memory/2892-7-0x0000000000560000-0x000000000056B000-memory.dmp

memory/2892-8-0x0000000000560000-0x000000000056B000-memory.dmp

memory/3416-9-0x0000000008E70000-0x0000000008FFD000-memory.dmp

memory/3416-13-0x00000000091E0000-0x000000000936F000-memory.dmp

memory/3416-14-0x00000000091E0000-0x000000000936F000-memory.dmp

memory/3416-16-0x00000000091E0000-0x000000000936F000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1276 set thread context of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 1276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1276 wrote to memory of 1272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1272 wrote to memory of 1912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 552

Network

N/A

Files

memory/1276-0-0x00000000001A0000-0x00000000001A3000-memory.dmp

memory/1272-2-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1272-6-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1272-4-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1272-7-0x0000000074A51000-0x0000000074A52000-memory.dmp

memory/1272-8-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1272-9-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1272-10-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1272-11-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1272-12-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1912-13-0x0000000000580000-0x0000000000581000-memory.dmp

memory/1272-14-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1272-15-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3412 set thread context of 4680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 3412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3572 wrote to memory of 3412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3572 wrote to memory of 3412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 4680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3412 -ip 3412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 756

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3412-0-0x00000000021C0000-0x00000000021C3000-memory.dmp

memory/4680-2-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4680-3-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4680-4-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4680-5-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4680-6-0x0000000074862000-0x0000000074863000-memory.dmp

memory/4680-7-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-8-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-9-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-10-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-11-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-12-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-13-0x0000000074862000-0x0000000074863000-memory.dmp

memory/4680-14-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-15-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-16-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/4680-17-0x0000000074860000-0x0000000074E11000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20241023-en

Max time kernel

146s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2952 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 2792 set thread context of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Windows\Explorer.EXE
PID 2820 set thread context of 1052 N/A C:\Windows\SysWOW64\control.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\control.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 2952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 2952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 2952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 2952 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
PID 1052 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1052 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1052 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1052 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2824 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe

"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe

"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\SysWOW64\control.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd6DF1.tmp\2g6ght2plrugud.dll

MD5 64ade443342d3aa3790c2846abf93959
SHA1 d6668f6881d40dc3dc3d1f627f2721e1d333e698
SHA256 ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45
SHA512 2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845

memory/2952-8-0x0000000001D50000-0x0000000001D52000-memory.dmp

memory/2792-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2792-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1052-12-0x0000000007200000-0x000000000737F000-memory.dmp

memory/2820-17-0x0000000000480000-0x000000000049F000-memory.dmp

memory/2820-15-0x0000000000480000-0x000000000049F000-memory.dmp

memory/1052-18-0x0000000007200000-0x000000000737F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20240903-en

Max time kernel

148s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2364 set thread context of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 set thread context of 1180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE
PID 1748 set thread context of 1180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE
PID 1872 set thread context of 1180 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1180 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1180 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1180 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1180 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1872 wrote to memory of 2284 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\rundll32.exe"

Network

N/A

Files

memory/2364-0-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/1748-1-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1748-2-0x0000000002270000-0x0000000002573000-memory.dmp

memory/1180-6-0x0000000003210000-0x0000000003310000-memory.dmp

memory/1748-5-0x0000000000270000-0x0000000000284000-memory.dmp

memory/1180-7-0x00000000076B0000-0x0000000007813000-memory.dmp

memory/1748-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1180-11-0x00000000076B0000-0x0000000007813000-memory.dmp

memory/1180-12-0x0000000007B20000-0x0000000007C5A000-memory.dmp

memory/1748-10-0x00000000002B0000-0x00000000002C4000-memory.dmp

memory/1748-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1872-13-0x00000000014F0000-0x000000000150B000-memory.dmp

memory/1872-14-0x00000000014F0000-0x000000000150B000-memory.dmp

memory/1180-15-0x0000000007B20000-0x0000000007C5A000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20240903-en

Max time kernel

145s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3044 set thread context of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 set thread context of 1224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE
PID 2056 set thread context of 1224 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\colorcpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1224 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1224 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1224 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 2056 wrote to memory of 2900 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2900 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2900 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2900 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\rundll32.exe"

Network

N/A

Files

memory/3044-0-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2640-1-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2640-2-0x0000000002090000-0x0000000002393000-memory.dmp

memory/2640-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2640-5-0x0000000000200000-0x0000000000214000-memory.dmp

memory/1224-6-0x0000000005130000-0x00000000051F4000-memory.dmp

memory/2056-7-0x0000000000720000-0x0000000000738000-memory.dmp

memory/2056-8-0x0000000000720000-0x0000000000738000-memory.dmp

memory/1224-9-0x0000000005130000-0x00000000051F4000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win7-20240729-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 508

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso1CC6.tmp\wfonpw4.dll

MD5 2352a10c7c964ab3ab072f17a78cb77f
SHA1 a41c5d247420909bb3a3565dd552990258904f02
SHA256 271f00c08e8dbf27f0b36e27df2aa07be3e4492940118ae3e43758a812d7e370
SHA512 14634bebdd077a674b02bb9548588868ca56145e497fea67be211bd2887bec65b02c75f7edafdbff0d976ff9a424f8acc1ba0ab4244a1b86ebeb640ceb8c41d4

memory/2264-8-0x00000000008A0000-0x00000000008A3000-memory.dmp

memory/2772-10-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2772-12-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2772-13-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2744-14-0x0000000000370000-0x0000000000371000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-30 17:36

Reported

2024-12-30 17:39

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3012 -ip 3012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 996

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd8D7D.tmp\wfonpw4.dll

MD5 2352a10c7c964ab3ab072f17a78cb77f
SHA1 a41c5d247420909bb3a3565dd552990258904f02
SHA256 271f00c08e8dbf27f0b36e27df2aa07be3e4492940118ae3e43758a812d7e370
SHA512 14634bebdd077a674b02bb9548588868ca56145e497fea67be211bd2887bec65b02c75f7edafdbff0d976ff9a424f8acc1ba0ab4244a1b86ebeb640ceb8c41d4

memory/3012-7-0x0000000002400000-0x0000000002403000-memory.dmp