Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 14:17
Static task
static1
Behavioral task
behavioral1
Sample
Orden de compra.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Orden de compra.xls
Resource
win10v2004-20231127-en
General
-
Target
Orden de compra.xls
-
Size
391KB
-
MD5
84129445f6446d089445dbe993224dcd
-
SHA1
7e8ccd59f7484ca6e2701404ff8c77182cba2dce
-
SHA256
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576
-
SHA512
47ebc4e589bc797896727857c91d6e6f6c3ee99b5e41cae7f4336e1fe643f6da3d436bc5edba234af31e419b82d337e03904b293b36fa3a245b1bd3cf6caadce
-
SSDEEP
6144:YDn1m9kdbaG3mU+ZKy4ij4a3DjKcUX1edr1aqizRBfqGudZFAW6ffPPXC53EE:YDOeuiqKjij4a3DjM1ehMvmFC3Xq3EE
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2896 EXCEL.EXE 2456 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2456 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2456 wrote to memory of 664 2456 WINWORD.EXE splwow64.exe PID 2456 wrote to memory of 664 2456 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2896
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CA77C4EB-DDAA-40D8-BFEF-DBF780DA0C58
Filesize157KB
MD52b8e98034942358f57900f904c93daea
SHA1623b8a427ba491165eb97bf7a8c96557c059b435
SHA25641f6549947b7e2b381ebf389426b9f6e600043bff2bf116a210a54645bcc013e
SHA512864d27ac90322308dd4366856463afb8ca2cc10ab41125e9a23b9bd8ef3a9861a7a977c76d4d363fc751a6d693de5b95fb2248673fae86e5c7df1d14fa7c95a3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD54e56943a85de0dcf7786a2cf87ed5592
SHA112fd0664cf2330991cba21656d3a1407dd53dab7
SHA25608c6d4d67a53d25d5cfed1a2df0387fa08f7952c7f50e6aad1dc07107c7123ec
SHA512bb1a722b60caa4b2c00bcd0d5b01f83b882143240aa1be4c59adf9e484e392fd131ae7882a85e3fd63c1e908006266d0b244e1cf8076cd1d14bfae9ac9d2723b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e8bad03e7fe61df2688eaf1457cffd5a
SHA1bec9f38048e6dd6937df7e3d90e1fae71122a5e7
SHA2561a39cd898bd93e7596f9ba358a33a282a02e8c92d8d3be521ff8e0a2d613923b
SHA512f6c79fa97e88a310a80caf0a21be4e6bf6b6b84c4e2b3404cb2258c0c271e13827dbdb683af86e0eff72e85e2d687db3aed2aec2c9dec1de255e77401367e891
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5e8bad03e7fe61df2688eaf1457cffd5a
SHA1bec9f38048e6dd6937df7e3d90e1fae71122a5e7
SHA2561a39cd898bd93e7596f9ba358a33a282a02e8c92d8d3be521ff8e0a2d613923b
SHA512f6c79fa97e88a310a80caf0a21be4e6bf6b6b84c4e2b3404cb2258c0c271e13827dbdb683af86e0eff72e85e2d687db3aed2aec2c9dec1de255e77401367e891
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JRPRPPGG\microsoftdetecthistorycachecookieentirethingsfromthepcfordelete[1].doc
Filesize66KB
MD53257e76f6fd7ccf389feb54fd83653a3
SHA10f567d839141d2e9b0ed8c7be435ca8eb50c3727
SHA2565d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d
SHA512226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c