ecc323c737ea71e81873751995b2c6c5d0bc8845db73466d0d1cdc518c57041b

General

Target

Comprobante de pago (OCT).xls
Size

122KB
MD5

643cc6f7df3ef634150217b269afbd8a
SHA1

b66df95d3bb7f48f4d429638ba68219f74f7b079
SHA256

ecc323c737ea71e81873751995b2c6c5d0bc8845db73466d0d1cdc518c57041b
SHA512

92ac4407b3eb7f8f42d6976f84b354a499463e8b643979b6bee541bac99abaf5e523141c514b25830d95ee3cebce0c636c41bae02a8e10d27728f849e28b0946

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

uuee.exeuuee.exeuuee.exeuuee.exe

pid process

2064 uuee.exe
1152 uuee.exe
1408 uuee.exe
1600 uuee.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2064	uuee.exe
1152	uuee.exe
1408	uuee.exe
1600	uuee.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

uuee.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uuee.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	uuee.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uuee.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1880 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE
1880	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1880 wrote to memory of 2064	1880	EXCEL.EXE	uuee.exe
PID 1880 wrote to memory of 2064	1880	EXCEL.EXE	uuee.exe
PID 1880 wrote to memory of 2064	1880	EXCEL.EXE	uuee.exe

outlook_office_path 1 IoCs

Processes:

uuee.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uuee.exe

outlook_win_path 1 IoCs

Processes:

uuee.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uuee.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago (OCT).xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Roaming\uuee.exe
"C:\Users\Admin\AppData\Roaming\uuee.exe"
2⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Roaming\uuee.exe
"C:\Users\Admin\AppData\Roaming\uuee.exe"
3⤵
- Executes dropped EXE
PID:1152

C:\Users\Admin\AppData\Roaming\uuee.exe
"C:\Users\Admin\AppData\Roaming\uuee.exe"
3⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Roaming\uuee.exe
"C:\Users\Admin\AppData\Roaming\uuee.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uuee.exe
MD5
3819e26c2e49013529b158b838a96237

SHA1
fcec94d58e18eedc81db5baf750f71d4f0c51b56

SHA256
6214b2d691b37c19a84c54cb540469b934da3586172604cd5ea139b3f05685d9

SHA512
a1e17201f02e10a873d2ad37a97e1753474e318b550482dc3f7ea09b4266bc1f9eb45dbeee44247b92ed1c95b1d405b311a5f9f665b12c0fd352ccd4dad16b29

Download Submit
C:\Users\Admin\AppData\Roaming\uuee.exe
MD5
3819e26c2e49013529b158b838a96237

SHA1
fcec94d58e18eedc81db5baf750f71d4f0c51b56

SHA256
6214b2d691b37c19a84c54cb540469b934da3586172604cd5ea139b3f05685d9

SHA512
a1e17201f02e10a873d2ad37a97e1753474e318b550482dc3f7ea09b4266bc1f9eb45dbeee44247b92ed1c95b1d405b311a5f9f665b12c0fd352ccd4dad16b29

Download Submit
C:\Users\Admin\AppData\Roaming\uuee.exe
MD5
3819e26c2e49013529b158b838a96237

SHA1
fcec94d58e18eedc81db5baf750f71d4f0c51b56

SHA256
6214b2d691b37c19a84c54cb540469b934da3586172604cd5ea139b3f05685d9

SHA512
a1e17201f02e10a873d2ad37a97e1753474e318b550482dc3f7ea09b4266bc1f9eb45dbeee44247b92ed1c95b1d405b311a5f9f665b12c0fd352ccd4dad16b29

Download Submit
C:\Users\Admin\AppData\Roaming\uuee.exe
MD5
3819e26c2e49013529b158b838a96237

SHA1
fcec94d58e18eedc81db5baf750f71d4f0c51b56

SHA256
6214b2d691b37c19a84c54cb540469b934da3586172604cd5ea139b3f05685d9

SHA512
a1e17201f02e10a873d2ad37a97e1753474e318b550482dc3f7ea09b4266bc1f9eb45dbeee44247b92ed1c95b1d405b311a5f9f665b12c0fd352ccd4dad16b29

Download Submit
memory/1880-118-0x00007FF86EA30000-0x00007FF86EA40000-memory.dmp

Filesize
64KB

Download
memory/1880-120-0x00000277544D0000-0x00000277544D2000-memory.dmp

Filesize
8KB

Download
memory/1880-121-0x00007FF86EA30000-0x00007FF86EA40000-memory.dmp

Filesize
64KB

Download
memory/1880-122-0x00000277544D0000-0x00000277544D2000-memory.dmp

Filesize
8KB

Download
memory/1880-119-0x00000277544D0000-0x00000277544D2000-memory.dmp

Filesize
8KB

Download
memory/1880-115-0x00007FF86EA30000-0x00007FF86EA40000-memory.dmp

Filesize
64KB

Download
memory/1880-117-0x00007FF86EA30000-0x00007FF86EA40000-memory.dmp

Filesize
64KB

Download
memory/1880-116-0x00007FF86EA30000-0x00007FF86EA40000-memory.dmp

Filesize
64KB

Download
memory/2064-271-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads