3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de compra.xls
Size

391KB
MD5

84129445f6446d089445dbe993224dcd
SHA1

7e8ccd59f7484ca6e2701404ff8c77182cba2dce
SHA256

3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576
SHA512

47ebc4e589bc797896727857c91d6e6f6c3ee99b5e41cae7f4336e1fe643f6da3d436bc5edba234af31e419b82d337e03904b293b36fa3a245b1bd3cf6caadce
SSDEEP

6144:YDn1m9kdbaG3mU+ZKy4ij4a3DjKcUX1edr1aqizRBfqGudZFAW6ffPPXC53EE:YDOeuiqKjij4a3DjM1ehMvmFC3Xq3EE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2896 EXCEL.EXE
2456 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2456 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	2456	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2896	EXCEL.EXE
2456	WINWORD.EXE
2456	WINWORD.EXE
2456	WINWORD.EXE
2456	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2456 wrote to memory of 664	2456	WINWORD.EXE	splwow64.exe
PID 2456 wrote to memory of 664	2456	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CA77C4EB-DDAA-40D8-BFEF-DBF780DA0C58

Filesize
157KB

MD5
2b8e98034942358f57900f904c93daea

SHA1
623b8a427ba491165eb97bf7a8c96557c059b435

SHA256
41f6549947b7e2b381ebf389426b9f6e600043bff2bf116a210a54645bcc013e

SHA512
864d27ac90322308dd4366856463afb8ca2cc10ab41125e9a23b9bd8ef3a9861a7a977c76d4d363fc751a6d693de5b95fb2248673fae86e5c7df1d14fa7c95a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4e56943a85de0dcf7786a2cf87ed5592

SHA1
12fd0664cf2330991cba21656d3a1407dd53dab7

SHA256
08c6d4d67a53d25d5cfed1a2df0387fa08f7952c7f50e6aad1dc07107c7123ec

SHA512
bb1a722b60caa4b2c00bcd0d5b01f83b882143240aa1be4c59adf9e484e392fd131ae7882a85e3fd63c1e908006266d0b244e1cf8076cd1d14bfae9ac9d2723b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e8bad03e7fe61df2688eaf1457cffd5a

SHA1
bec9f38048e6dd6937df7e3d90e1fae71122a5e7

SHA256
1a39cd898bd93e7596f9ba358a33a282a02e8c92d8d3be521ff8e0a2d613923b

SHA512
f6c79fa97e88a310a80caf0a21be4e6bf6b6b84c4e2b3404cb2258c0c271e13827dbdb683af86e0eff72e85e2d687db3aed2aec2c9dec1de255e77401367e891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e8bad03e7fe61df2688eaf1457cffd5a

SHA1
bec9f38048e6dd6937df7e3d90e1fae71122a5e7

SHA256
1a39cd898bd93e7596f9ba358a33a282a02e8c92d8d3be521ff8e0a2d613923b

SHA512
f6c79fa97e88a310a80caf0a21be4e6bf6b6b84c4e2b3404cb2258c0c271e13827dbdb683af86e0eff72e85e2d687db3aed2aec2c9dec1de255e77401367e891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JRPRPPGG\microsoftdetecthistorycachecookieentirethingsfromthepcfordelete[1].doc

Filesize
66KB

MD5
3257e76f6fd7ccf389feb54fd83653a3

SHA1
0f567d839141d2e9b0ed8c7be435ca8eb50c3727

SHA256
5d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d

SHA512
226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c

Download Submit
memory/2456-28-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-27-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-34-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-113-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-112-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-111-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-109-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2456-110-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2456-108-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2456-107-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2456-69-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-68-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-39-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-38-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-37-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-36-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-32-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2456-30-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-122-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-3-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2896-0-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2896-23-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-21-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-7-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2896-22-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-20-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-19-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-18-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-6-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2896-4-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-1-0x00007FFCA85D0000-0x00007FFCA85E0000-memory.dmp

Filesize
64KB

Download
memory/2896-15-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-2-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-66-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-67-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-17-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-16-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-14-0x00007FFCA63C0000-0x00007FFCA63D0000-memory.dmp

Filesize
64KB

Download
memory/2896-13-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-12-0x00007FFCA63C0000-0x00007FFCA63D0000-memory.dmp

Filesize
64KB

Download
memory/2896-11-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-10-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-9-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-5-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-8-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download
memory/2896-121-0x00007FFCE8550000-0x00007FFCE8745000-memory.dmp

Filesize
2.0MB

Download