3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nueva Orden.xls
Size

391KB
MD5

20d7b7e70ea53065f8f5cbf5f2abde62
SHA1

1574428c29f993ba3efa4dca4d7e493cd15bf605
SHA256

3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702
SHA512

021e165fbb621b8da8d3d2a2b9dea95910c37803dd865f0cb600a837fa1400249d393f7cf1fb2e97872e1eb1c54e157138206ce07c340c9dd375767da55bf41e
SSDEEP

12288:UOergqKjij4a3DjM1+UT3A/6IGsIHOgEnVu:UOeDEezjs+UUSnHwn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1400 EXCEL.EXE
4936 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4936 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4936	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE
4936	WINWORD.EXE
4936	WINWORD.EXE
4936	WINWORD.EXE
4936	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4936 wrote to memory of 4016	4936	WINWORD.EXE	splwow64.exe
PID 4936 wrote to memory of 4016	4936	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Nueva Orden.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
f4753a8b6608192bc45622d050f66ac7

SHA1
77dd778225700e5f8af168f320a8398a1ac2f3f1

SHA256
d55f92fe3e4fb2adff9eba7cc9a86f835069648a5b08452e4b772241631fd318

SHA512
8248ca77161b3cde32e203dd2927f31929b20bb998a52856c359c964472cf1e6728a7e26e634fbefe1a3762f1e295b44d4fa5bd5384e3d67557ebc323062e70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
4f87785ade03edf38f99b8a073db9676

SHA1
2a181ad56edc23b7601e836223c8d577b6085e5f

SHA256
297c5f354527eaebf030116e227499c4754eb34ca9107717b24f34d4734c0266

SHA512
eb67ae4d8236ee7d9a0ffa07067030e97893b27f0754a900d80bf39b98a5c8a92346e335bafd3ea1236eab54ef08841cf1b8db1f0f8e4f9a53b3e6bd380568db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6DC7B3D5-1C6B-4DD2-A7EE-D6843FD47A52

Filesize
158KB

MD5
81da5f41e778e98399148d25654f271c

SHA1
6e9beae7634636253905fe32b2a5e96e24fefa25

SHA256
99c5ae6881a3106653cafbcab8715b71108496e2e033bdfcfa6634809bd63593

SHA512
a1e09a7019e925874bf9875ed295de9142317db28ad2f083ce39c87fae414a18b0366609709c2cb42922e1d9d9fac0606d2f68e4ee5f542ce918274fbe2eeb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
440403270a9e470178dca121f0eae84a

SHA1
b0bcb513f5ae9cc91aa462cee5e2c7906b678b49

SHA256
56226e283a785477dceb24898536ffacd864453c61a514f968a9c9a2b529e0df

SHA512
666755ff1436bf7bc3c24e54a0d22f76afc0d5845b2f96115a2553cc1261cd2664f70d86a29d36e9cb0dcd51d3d2423e2c5fe9a59e70d976284dd2d24ad49133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9c150b3c93e9d06325411577a8832f15

SHA1
8ac8e6f3458576c1e7203081fa4a9ffd2eac7a4f

SHA256
12d50175e990a7e17924a60063f1c19ede17d0aca6dab2f1df90bdd3faafce13

SHA512
371753e74030e5757bbde424296eec49b80e087eeca09e489db216ae2fae373e73d359184ceebf7ab8c6e5d649f4682635d47a14d77c9b9a8a549ebe76e1749c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MJXP699G\newmicrosoftunderstandhowimportanttodeletehistorycookiecacheeverythingfromthepc[1].doc

Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
memory/1400-20-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-8-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-10-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-13-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-17-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-18-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-19-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-0-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/1400-16-0x00007FFA68720000-0x00007FFA68730000-memory.dmp

Filesize
64KB

Download
memory/1400-15-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-14-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-12-0x00007FFA68720000-0x00007FFA68730000-memory.dmp

Filesize
64KB

Download
memory/1400-11-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-7-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/1400-1-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/1400-125-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-73-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-72-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-3-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-4-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-2-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/1400-6-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-5-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/1400-9-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-46-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-38-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-50-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-47-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-48-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-45-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-43-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-40-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-44-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-42-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-39-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-51-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-36-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-34-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-29-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-32-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-74-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-112-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/4936-113-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/4936-114-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/4936-115-0x00007FFA6AE70000-0x00007FFA6AE80000-memory.dmp

Filesize
64KB

Download
memory/4936-117-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-116-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-30-0x00007FFAAADF0000-0x00007FFAAAFE5000-memory.dmp

Filesize
2.0MB

Download