Analysis Overview
SHA256
1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049
Threat Level: Known bad
The file JaffaCakes118_1ebcadef0f2790a5c28cc8d6100007eb6a82a0cf7fc582e7595fa9a3407d3049 was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Formbook
Formbook family
AgentTesla payload
Formbook payload
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Unsecured Credentials: Credentials In Files
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: MapViewOfSection
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3248 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe |
| PID 3248 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe |
| PID 3248 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 988
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp6C39.tmp\2g6ght2plrugud.dll
| MD5 | 64ade443342d3aa3790c2846abf93959 |
| SHA1 | d6668f6881d40dc3dc3d1f627f2721e1d333e698 |
| SHA256 | ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45 |
| SHA512 | 2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845 |
memory/3248-7-0x0000000002440000-0x0000000002442000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
142s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1712 set thread context of 4008 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4008 set thread context of 3452 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 1664 set thread context of 3452 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.enpointe.online | udp |
| US | 8.8.8.8:53 | www.artinmemory.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.desyrnan.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.privat-livecam.net | udp |
| US | 8.8.8.8:53 | www.philreid4cc.com | udp |
| US | 8.8.8.8:53 | www.lacompagniadelfardello.com | udp |
| DE | 64.226.125.59:80 | www.lacompagniadelfardello.com | tcp |
| US | 8.8.8.8:53 | 59.125.226.64.in-addr.arpa | udp |
Files
memory/1712-0-0x0000000001410000-0x0000000001412000-memory.dmp
memory/4008-1-0x0000000000270000-0x000000000029E000-memory.dmp
memory/4008-4-0x00000000024D0000-0x000000000281A000-memory.dmp
memory/4008-5-0x0000000000270000-0x000000000029E000-memory.dmp
memory/4008-6-0x00000000003E0000-0x00000000003F4000-memory.dmp
memory/3452-7-0x0000000002B60000-0x0000000002C39000-memory.dmp
memory/1664-9-0x00000000005D0000-0x00000000005F7000-memory.dmp
memory/1664-8-0x00000000005D0000-0x00000000005F7000-memory.dmp
memory/3452-10-0x0000000002B60000-0x0000000002C39000-memory.dmp
memory/3452-14-0x0000000003050000-0x000000000316F000-memory.dmp
memory/3452-15-0x0000000003050000-0x000000000316F000-memory.dmp
memory/3452-17-0x0000000003050000-0x000000000316F000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20241010-en
Max time kernel
147s
Max time network
125s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2128 set thread context of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Users\Admin\AppData\Local\Temp\PO.exe |
| PID 2152 set thread context of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Windows\Explorer.EXE |
| PID 2152 set thread context of 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Windows\Explorer.EXE |
| PID 3048 set thread context of 1240 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nst79D3.tmp\k5ig8v1xqqd111h.dll
| MD5 | fe9e8afe6e228256eaf3065c403d87bb |
| SHA1 | 1d46976328242b9e4f37d994bc1f169ee1f4c112 |
| SHA256 | e2b161127954eb1373158a95ef083d1b00198fef933e9ad5a1496d82d9006b8b |
| SHA512 | 573399e2885f89f05e27de783ef286c79dab04ca4e942f62ccbbb40d61fc7ab80baa97b13948b719dcae785d5daa19e4aa23adb4922e9737e0ecbfc2a09ba4a5 |
memory/2128-8-0x0000000000300000-0x0000000000302000-memory.dmp
memory/2152-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2152-11-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1240-12-0x0000000000010000-0x0000000000020000-memory.dmp
memory/1240-13-0x0000000006AF0000-0x0000000006C57000-memory.dmp
memory/2152-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1240-16-0x0000000006980000-0x0000000006A5B000-memory.dmp
memory/1240-17-0x0000000006AF0000-0x0000000006C57000-memory.dmp
memory/3048-22-0x0000000000760000-0x0000000000768000-memory.dmp
memory/3048-21-0x0000000000760000-0x0000000000768000-memory.dmp
memory/1240-23-0x0000000006980000-0x0000000006A5B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\PO.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4016 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Users\Admin\AppData\Local\Temp\PO.exe |
| PID 4016 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Users\Admin\AppData\Local\Temp\PO.exe |
| PID 4016 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\PO.exe | C:\Users\Admin\AppData\Local\Temp\PO.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4016 -ip 4016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 988
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb8937.tmp\k5ig8v1xqqd111h.dll
| MD5 | fe9e8afe6e228256eaf3065c403d87bb |
| SHA1 | 1d46976328242b9e4f37d994bc1f169ee1f4c112 |
| SHA256 | e2b161127954eb1373158a95ef083d1b00198fef933e9ad5a1496d82d9006b8b |
| SHA512 | 573399e2885f89f05e27de783ef286c79dab04ca4e942f62ccbbb40d61fc7ab80baa97b13948b719dcae785d5daa19e4aa23adb4922e9737e0ecbfc2a09ba4a5 |
memory/4016-7-0x0000000002330000-0x0000000002332000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3708 set thread context of 4356 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4356 set thread context of 3416 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 2892 set thread context of 3416 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.union-green.com | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cosmicmtn.com | udp |
| US | 15.197.172.60:80 | www.cosmicmtn.com | tcp |
| US | 8.8.8.8:53 | 60.172.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.relocatingrealtor.com | udp |
| US | 34.149.87.45:80 | www.relocatingrealtor.com | tcp |
| US | 8.8.8.8:53 | 45.87.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.spiritsoundart.net | udp |
| CA | 23.227.38.74:80 | www.spiritsoundart.net | tcp |
| US | 8.8.8.8:53 | 74.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.rokitreach.com | udp |
| US | 15.197.148.33:80 | www.rokitreach.com | tcp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
Files
memory/3708-0-0x0000000002CF0000-0x0000000002CF2000-memory.dmp
memory/4356-1-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4356-2-0x0000000002CF0000-0x000000000303A000-memory.dmp
memory/4356-5-0x0000000002BB0000-0x0000000002BC4000-memory.dmp
memory/4356-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3416-6-0x0000000008E70000-0x0000000008FFD000-memory.dmp
memory/2892-7-0x0000000000560000-0x000000000056B000-memory.dmp
memory/2892-8-0x0000000000560000-0x000000000056B000-memory.dmp
memory/3416-9-0x0000000008E70000-0x0000000008FFD000-memory.dmp
memory/3416-13-0x00000000091E0000-0x000000000936F000-memory.dmp
memory/3416-14-0x00000000091E0000-0x000000000936F000-memory.dmp
memory/3416-16-0x00000000091E0000-0x000000000936F000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20240903-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1276 set thread context of 1272 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 552
Network
Files
memory/1276-0-0x00000000001A0000-0x00000000001A3000-memory.dmp
memory/1272-2-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1272-6-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1272-4-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1272-7-0x0000000074A51000-0x0000000074A52000-memory.dmp
memory/1272-8-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1272-9-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1272-10-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1272-11-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1272-12-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1912-13-0x0000000000580000-0x0000000000581000-memory.dmp
memory/1272-14-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1272-15-0x0000000074A50000-0x0000000074FFB000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
147s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3412 set thread context of 4680 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 3412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3572 wrote to memory of 3412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3572 wrote to memory of 3412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 4680 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 4680 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 4680 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3412 wrote to memory of 4680 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\wfonpw4.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3412 -ip 3412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 756
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/3412-0-0x00000000021C0000-0x00000000021C3000-memory.dmp
memory/4680-2-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4680-3-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4680-4-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4680-5-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4680-6-0x0000000074862000-0x0000000074863000-memory.dmp
memory/4680-7-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-8-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-9-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-10-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-11-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-12-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-13-0x0000000074862000-0x0000000074863000-memory.dmp
memory/4680-14-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-15-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-16-0x0000000074860000-0x0000000074E11000-memory.dmp
memory/4680-17-0x0000000074860000-0x0000000074E11000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20241023-en
Max time kernel
146s
Max time network
123s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2952 set thread context of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe |
| PID 2792 set thread context of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | C:\Windows\Explorer.EXE |
| PID 2820 set thread context of 1052 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\BANK RECEIPT.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd6DF1.tmp\2g6ght2plrugud.dll
| MD5 | 64ade443342d3aa3790c2846abf93959 |
| SHA1 | d6668f6881d40dc3dc3d1f627f2721e1d333e698 |
| SHA256 | ea1deb95fa6614524006ee3260957aef27ebd563f609dde680cace5f2ea09e45 |
| SHA512 | 2fdce6c768ded710d6d011be5317b184a09e10058145bdff545e83df63f5e0f46db4f679161174397b37d0fb2f43abe7275405845742e4a73bc6ef995edf4845 |
memory/2952-8-0x0000000001D50000-0x0000000001D52000-memory.dmp
memory/2792-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2792-11-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1052-12-0x0000000007200000-0x000000000737F000-memory.dmp
memory/2820-17-0x0000000000480000-0x000000000049F000-memory.dmp
memory/2820-15-0x0000000000480000-0x000000000049F000-memory.dmp
memory/1052-18-0x0000000007200000-0x000000000737F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20240903-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 1748 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 set thread context of 1180 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 1748 set thread context of 1180 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 1872 set thread context of 1180 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\2g6ght2plrugud.dll,#1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
Network
Files
memory/2364-0-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/1748-1-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1748-2-0x0000000002270000-0x0000000002573000-memory.dmp
memory/1180-6-0x0000000003210000-0x0000000003310000-memory.dmp
memory/1748-5-0x0000000000270000-0x0000000000284000-memory.dmp
memory/1180-7-0x00000000076B0000-0x0000000007813000-memory.dmp
memory/1748-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1180-11-0x00000000076B0000-0x0000000007813000-memory.dmp
memory/1180-12-0x0000000007B20000-0x0000000007C5A000-memory.dmp
memory/1748-10-0x00000000002B0000-0x00000000002C4000-memory.dmp
memory/1748-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1872-13-0x00000000014F0000-0x000000000150B000-memory.dmp
memory/1872-14-0x00000000014F0000-0x000000000150B000-memory.dmp
memory/1180-15-0x0000000007B20000-0x0000000007C5A000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20240903-en
Max time kernel
145s
Max time network
118s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 2640 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2640 set thread context of 1224 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 2056 set thread context of 1224 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\k5ig8v1xqqd111h.dll,#1
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
Network
Files
memory/3044-0-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/2640-1-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2640-2-0x0000000002090000-0x0000000002393000-memory.dmp
memory/2640-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2640-5-0x0000000000200000-0x0000000000214000-memory.dmp
memory/1224-6-0x0000000005130000-0x00000000051F4000-memory.dmp
memory/2056-7-0x0000000000720000-0x0000000000738000-memory.dmp
memory/2056-8-0x0000000000720000-0x0000000000738000-memory.dmp
memory/1224-9-0x0000000005130000-0x00000000051F4000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win7-20240729-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2264 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
Network
Files
\Users\Admin\AppData\Local\Temp\nso1CC6.tmp\wfonpw4.dll
| MD5 | 2352a10c7c964ab3ab072f17a78cb77f |
| SHA1 | a41c5d247420909bb3a3565dd552990258904f02 |
| SHA256 | 271f00c08e8dbf27f0b36e27df2aa07be3e4492940118ae3e43758a812d7e370 |
| SHA512 | 14634bebdd077a674b02bb9548588868ca56145e497fea67be211bd2887bec65b02c75f7edafdbff0d976ff9a424f8acc1ba0ab4244a1b86ebeb640ceb8c41d4 |
memory/2264-8-0x00000000008A0000-0x00000000008A3000-memory.dmp
memory/2772-10-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2772-12-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2772-13-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2744-14-0x0000000000370000-0x0000000000371000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-30 17:36
Reported
2024-12-30 17:39
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riaagitukgs = "C:\\Users\\Admin\\AppData\\Roaming\\ptdrpxuyhk\\siusbbxdxbkm.exe" | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe |
| PID 3012 wrote to memory of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe |
| PID 3012 wrote to memory of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe | C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3012 -ip 3012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 996
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd8D7D.tmp\wfonpw4.dll
| MD5 | 2352a10c7c964ab3ab072f17a78cb77f |
| SHA1 | a41c5d247420909bb3a3565dd552990258904f02 |
| SHA256 | 271f00c08e8dbf27f0b36e27df2aa07be3e4492940118ae3e43758a812d7e370 |
| SHA512 | 14634bebdd077a674b02bb9548588868ca56145e497fea67be211bd2887bec65b02c75f7edafdbff0d976ff9a424f8acc1ba0ab4244a1b86ebeb640ceb8c41d4 |
memory/3012-7-0x0000000002400000-0x0000000002403000-memory.dmp