0a7523a33dbf8a15afdcef5a7efbaf4a2ed53706c8b0daad1ad8c69962180566

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Orden de Compra##.xla.xls
Size

101KB
MD5

1024a690a0cdbf2505121b0d14b70125
SHA1

a048b94a8ae9251b61e3348438ff0f3f2c89b33a
SHA256

0a7523a33dbf8a15afdcef5a7efbaf4a2ed53706c8b0daad1ad8c69962180566
SHA512

7ec14256710b048c69bbd0ccb80a5ea9333ad5fe6e106509dcd62885fb15cae3217102633d0006325d7aadd2ba1b974d24e6599ee74f804b9c6805c51e3d1a5a
SSDEEP

1536:lpQDZbuylO9AKt9+CASVnmLIMPXHI8d+xpgFlIoOcbF6KUHJHuJPMIdTd:8Vyy1Kt0GdmBP3I8MgnIPwFtWHIP

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3712	EXCEL.EXE
3320	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	3320	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3712	EXCEL.EXE
3712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3712	EXCEL.EXE
3320	WINWORD.EXE
3320	WINWORD.EXE
3320	WINWORD.EXE
3320	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2340	3320	WINWORD.EXE	99
PID 3320 wrote to memory of 2340	3320	WINWORD.EXE	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden de Compra##.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\598D13CB-8093-4100-BC2E-9B84EE7951A5

Filesize
156KB

MD5
41a0ced25408d951f0dc61622d85319c

SHA1
edb9e85d994c561885c3e49effe31141fd499e58

SHA256
ea8e759a8668566fd5a6f4037c0e055f793bb290968e16aba20b8df77ebf070e

SHA512
60d2f80d6bbb4cd0a51c16d8d5cde8b814e2203b17de827a8a468597246dc30c2e529d7e548fb49dc117d8bcb2174816a0d1af649e25af5d2608d478923223fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
217b87b772320d8d599433294a0b65f1

SHA1
7b5534dd10154647065259cee06182848ae851e4

SHA256
e2554dd0273ea70e6b114b827ba7fdd166d0518825712d6c886594436db556ba

SHA512
27a16f05f2d2aa93ac7c9bd50adcf3954fa65e4c0b3776ce97a0d585dcf959773c60f28f59534e156f19f5cf9d2bac22e212bc96b15a53cd13265c15ad61553a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e8d541692666118fa361489dd8b883a0

SHA1
341fffde46b67486590acf2d82046d665875ed71

SHA256
47a0b30723d69674e43cec5401f412f08beb5e696e6d043b3b9d36750502be18

SHA512
6b138331c8678745f4101b269661d58e563f22d37e453580ea9ebbeff99fbdf9ca450e0cf83bc60f806159a17136922001da47b746810188dd8040be31a093b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\HTMLbrowserHistoryCleanerhta[1].doc

Filesize
25KB

MD5
a5e653641362ac4e0fae2c211a6fd38d

SHA1
cf8925381f865c63092bc5a059816f1f0c453ab4

SHA256
7089650e6c0f2dcead55e58ff0c229d4a9eba2d611c69b78b9d80986e0017ce0

SHA512
815558d48edccafe7b45d144a9d970604621931bfc11f7fe0b8ab05266053e245eb43f2cf5b64ca76aec16fcaed7c5742f3d800258b1aa069268f0ec914aab06

Download Submit
memory/3320-123-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-47-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-59-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-58-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-57-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-55-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-61-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-126-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-37-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-48-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-124-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-45-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-43-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-42-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3320-40-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-13-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-11-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-27-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-29-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-28-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-30-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-31-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-32-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-33-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-22-0x00007FFEA86C0000-0x00007FFEA86D0000-memory.dmp

Filesize
64KB

Download
memory/3712-18-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-17-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-16-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-15-0x00007FFEA86C0000-0x00007FFEA86D0000-memory.dmp

Filesize
64KB

Download
memory/3712-14-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-0-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-12-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-26-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-10-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-8-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-9-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-7-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-6-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-5-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-110-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-111-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-113-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-114-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-112-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-115-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-116-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download
memory/3712-4-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-2-0x00007FFEAAFF0000-0x00007FFEAB000000-memory.dmp

Filesize
64KB

Download
memory/3712-1-0x00007FFEEAF70000-0x00007FFEEB165000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads