Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Orden T7405.xla.xls
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Orden T7405.xla.xls
Resource
win10v2004-20231127-en
General
-
Target
Orden T7405.xla.xls
-
Size
391KB
-
MD5
c198b379975c143eefceef1d79a20e17
-
SHA1
779ec72a2e929c5ba0f1b6db8922453c76177e38
-
SHA256
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50
-
SHA512
20224151e72415d17e47507a417fb8898d9b5e70a6749ce7e5fbe72e3f6b5cea6caee0eb1125ad327c8028fea7cf8722306171c376c53ca4bdd23f6fbab14ef8
-
SSDEEP
6144:Fn1m9kdbzPpeZl8b++UXKefrBCPP9UeybHvwsJxHMMj2GGuNla20kUVLR/:FOevhS5KSoPmeyTIsJxHlbCV
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1160 EXCEL.EXE 1032 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1032 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1032 WINWORD.EXE 1032 WINWORD.EXE 1032 WINWORD.EXE 1032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1032 wrote to memory of 4764 1032 WINWORD.EXE splwow64.exe PID 1032 wrote to memory of 4764 1032 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden T7405.xla.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1160
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7F626B7D-A2A0-4360-BF5E-819805F1240E
Filesize157KB
MD5fabfa1673c0f5f3b43a764f21977299a
SHA17f937895772c9dbb1966a5ac4c571230243373e0
SHA256f86b022b24b0189dccfa34d3f79961c4ca0e98eca51ad34770eb108aab43c407
SHA5121c9f9323cdba600964195aeee790b11e9e67219f3ec7d5131b6517990e41c0a648e0825dc7b808550c3c448f0cda169a7b66a550338b663ec9f9999cd67fd3b1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5b9ebfdf19cc65573e2e7cba96cb44b7a
SHA1fcc860c94178ffe49e8fa31c98a797db56ea380e
SHA256a09dabbefb794fb7881f308228c774bde14e5d0a1c256943bcda0277c5f90610
SHA512807985b19e6f86ddc2f6a4a0d79869994a71f2c61a0c2e3b0c80b01761aceb9f5bd13b03b0f7bedc9eca6ca4fd8e9d1725aaf339bf1752cafb5463c15c4c5866
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD559178e6c00b6840933fd12c474c382de
SHA1ff13d90c2e5b2ad2de8be3e79960e8868a7e00bc
SHA2560191dcd8fb06614d5130fb4af7026bec8b7d62a46ed616468bc760da0a23d56d
SHA51264aee8aafa63f4a6999679ea16986abff7064e800408d409d12042ea581faad0c9b9e537d9f6b27368ddff9751fd817db0d58da418e9ac2236a82ed43aa1a73a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z29MWU1J\Microsoftdeletedentirehistoryfromthepcalsocookiecachetoo[1].doc
Filesize58KB
MD56ee6e6e58e88fbb222f7b1c8e37973d7
SHA1fad289b5872a39a24d151ba59102c8d7c2e73e35
SHA256f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
SHA512439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8