ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

Analysis

max time kernel
1s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orden de compra.xls
Size

391KB
MD5

060f999d180fb2c37059815ebd76e38e
SHA1

605c01289d5b683a3d5b5eb17ebef72bfc388f91
SHA256

ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908
SHA512

a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e
SSDEEP

6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2992	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE
2992	EXCEL.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\orden de compra.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
PID:5096
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
f4753a8b6608192bc45622d050f66ac7

SHA1
77dd778225700e5f8af168f320a8398a1ac2f3f1

SHA256
d55f92fe3e4fb2adff9eba7cc9a86f835069648a5b08452e4b772241631fd318

SHA512
8248ca77161b3cde32e203dd2927f31929b20bb998a52856c359c964472cf1e6728a7e26e634fbefe1a3762f1e295b44d4fa5bd5384e3d67557ebc323062e70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
82c508caeb6f9f0d6023e2b6276d76cf

SHA1
4bcb199cd1640b0744c4fd279f2b75b005321ab0

SHA256
cb13f3828355e03a71b64e0608af8c7e8129dcaa0d9063e2c6cddc001874e3bc

SHA512
3ba4bf3cda5a45ec0072a5426aa9ecc6ea599f0b8641e2ab7f2605faec2f486e4c290a6b991930bc8e58279f9f451c69d4d6f955aff8310fcb291346fc627836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E3246B7F-541A-4A4A-ABCB-3D1194CAB765

Filesize
158KB

MD5
b0df96ab3292153695d153531015847f

SHA1
f7ac497aa1e7817fd2628c8527026a5aabc1a55c

SHA256
3b590da58bae7a37ba09a456f7f8f8911322d250eabe6a9bebf207b619183228

SHA512
da424bd59e908c08b087bfd8e4520f800bd3bf957402a92c13ac8a955b3357a45ff5d4f8ad563932eba11070fd33c63d45750abd7ade56747647b4029366a520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
88c8dcc6e463b4f5b5d0f06e7e34c4c5

SHA1
efc08370b3cf84abcb6bcfdf50a75f2f182d7bad

SHA256
cae6755522baf1f1cd103ac19070933458ee6756428d91f584941648b022dc5f

SHA512
a9b2733eb2c770c44cae97d9329c952fc8c4824d6587720bf827ec9f80de2acc5f400aad78af61ba001763346f3f8d7c7aeacb3cc6a9be14fa7814c3c1ca57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1eee4586ea55678475ed844a6ef707be

SHA1
8b18be2d72395d8a763f77f3ffba4860f4292e4f

SHA256
c0aca9f4a536faacf2be2b21dc4e27432fde2f73d53c730ca9a4505fe5334993

SHA512
6a61a4dca03a6231ea3ed9ee1824b196999b6fa7ea510af4ffe2a66ab8498a980efeabef9effa96ec6c2ee843f1b0cf5bbf49d2448897e3b676672454b4f7431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R3HM9TG4\microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything[1].doc

Filesize
59KB

MD5
ed5d8e3f7b96288d349f167b737b0e32

SHA1
d855f8bac1e28f42abe38db048e8839615db1be4

SHA256
f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

SHA512
4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

Download Submit
memory/2992-11-0x00007FFB85C70000-0x00007FFB85C80000-memory.dmp

Filesize
64KB

Download
memory/2992-2-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-7-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-10-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-12-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-0-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-6-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-14-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-15-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-13-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-16-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-17-0x00007FFB85C70000-0x00007FFB85C80000-memory.dmp

Filesize
64KB

Download
memory/2992-19-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-20-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-18-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-116-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-65-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-1-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-3-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-9-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-5-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/2992-4-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/2992-8-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-32-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-36-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-39-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-41-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-42-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-37-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-43-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-34-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-40-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-66-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-108-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download
memory/5096-107-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/5096-106-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/5096-105-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/5096-104-0x00007FFB87CD0000-0x00007FFB87CE0000-memory.dmp

Filesize
64KB

Download
memory/5096-30-0x00007FFBC7C50000-0x00007FFBC7E45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads