Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 16:30
Static task
static1
Behavioral task
behavioral1
Sample
Nueva Orden.xls
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Nueva Orden.xls
Resource
win10v2004-20231130-en
General
-
Target
Nueva Orden.xls
-
Size
391KB
-
MD5
20d7b7e70ea53065f8f5cbf5f2abde62
-
SHA1
1574428c29f993ba3efa4dca4d7e493cd15bf605
-
SHA256
3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702
-
SHA512
021e165fbb621b8da8d3d2a2b9dea95910c37803dd865f0cb600a837fa1400249d393f7cf1fb2e97872e1eb1c54e157138206ce07c340c9dd375767da55bf41e
-
SSDEEP
12288:UOergqKjij4a3DjM1+UT3A/6IGsIHOgEnVu:UOeDEezjs+UUSnHwn
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1400 EXCEL.EXE 4936 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4936 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 1400 EXCEL.EXE 4936 WINWORD.EXE 4936 WINWORD.EXE 4936 WINWORD.EXE 4936 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4936 wrote to memory of 4016 4936 WINWORD.EXE splwow64.exe PID 4936 wrote to memory of 4016 4936 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Nueva Orden.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1400
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5f4753a8b6608192bc45622d050f66ac7
SHA177dd778225700e5f8af168f320a8398a1ac2f3f1
SHA256d55f92fe3e4fb2adff9eba7cc9a86f835069648a5b08452e4b772241631fd318
SHA5128248ca77161b3cde32e203dd2927f31929b20bb998a52856c359c964472cf1e6728a7e26e634fbefe1a3762f1e295b44d4fa5bd5384e3d67557ebc323062e70d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD54f87785ade03edf38f99b8a073db9676
SHA12a181ad56edc23b7601e836223c8d577b6085e5f
SHA256297c5f354527eaebf030116e227499c4754eb34ca9107717b24f34d4734c0266
SHA512eb67ae4d8236ee7d9a0ffa07067030e97893b27f0754a900d80bf39b98a5c8a92346e335bafd3ea1236eab54ef08841cf1b8db1f0f8e4f9a53b3e6bd380568db
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6DC7B3D5-1C6B-4DD2-A7EE-D6843FD47A52
Filesize158KB
MD581da5f41e778e98399148d25654f271c
SHA16e9beae7634636253905fe32b2a5e96e24fefa25
SHA25699c5ae6881a3106653cafbcab8715b71108496e2e033bdfcfa6634809bd63593
SHA512a1e09a7019e925874bf9875ed295de9142317db28ad2f083ce39c87fae414a18b0366609709c2cb42922e1d9d9fac0606d2f68e4ee5f542ce918274fbe2eeb55
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5440403270a9e470178dca121f0eae84a
SHA1b0bcb513f5ae9cc91aa462cee5e2c7906b678b49
SHA25656226e283a785477dceb24898536ffacd864453c61a514f968a9c9a2b529e0df
SHA512666755ff1436bf7bc3c24e54a0d22f76afc0d5845b2f96115a2553cc1261cd2664f70d86a29d36e9cb0dcd51d3d2423e2c5fe9a59e70d976284dd2d24ad49133
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD59c150b3c93e9d06325411577a8832f15
SHA18ac8e6f3458576c1e7203081fa4a9ffd2eac7a4f
SHA25612d50175e990a7e17924a60063f1c19ede17d0aca6dab2f1df90bdd3faafce13
SHA512371753e74030e5757bbde424296eec49b80e087eeca09e489db216ae2fae373e73d359184ceebf7ab8c6e5d649f4682635d47a14d77c9b9a8a549ebe76e1749c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MJXP699G\newmicrosoftunderstandhowimportanttodeletehistorycookiecacheeverythingfromthepc[1].doc
Filesize53KB
MD5460857b142873aecf2a7fb03c03ad16c
SHA17dea4f943df7b874475531318592f3a7cee39119
SHA256ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a
SHA512a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889