bd1d2e0fc5a13b960fc305b05497e9c0d6e31137ed831a0d7523cea5cdaa50d3

Analysis

max time kernel
102s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solicitud de cotizaci�n909#.xls
Size

374KB
MD5

fa3267601e7ae603efa62bae7e8e5ab5
SHA1

5d16d6cf76984e6f228aa737ade7a0194e19dcb1
SHA256

bd1d2e0fc5a13b960fc305b05497e9c0d6e31137ed831a0d7523cea5cdaa50d3
SHA512

8f3f9c2453f3a8e2c94d2a4cf7cf5619c9ecdb669c4543a7ebdc5b88ccc5e84819ce31608ce4bef29369cbb3dfb94a995c36dba4a48fea47c0cef8bf543adfb6
SSDEEP

6144:PC5zvCp4sJgtouzdDHBMixiMK6G+ZFrTgT1WWnJaFBxe+PREJqE2QxxGl74:PC5bCfgtomdjpozwjT2kWcPc+PEqEj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3648	EXCEL.EXE
4232	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4232	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
3648	EXCEL.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE
4232	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4676	4232	WINWORD.EXE	96
PID 4232 wrote to memory of 4676	4232	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\solicitud de cotizaci�n909#.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c759c2be632ad5d62f455ccaba0cafe2

SHA1
7379c7b105e8d3c30fe2cd156302be43033d1c80

SHA256
26a3fb2cbb7fc57f40f35769d8b074f523806a5d11d196d692090f2c7d9dbff9

SHA512
cc258302d4f7589530c2bb3640fbbbe9e19bbc4cf7b059dee02128d3db663503143dba632802a3953a270657d20da5928c80a41bb73da6098a8f309796af5922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
85eae61dc837906c49c6cc99115553f3

SHA1
39da539bb48e0bfd7593c88b961de3579d216f7e

SHA256
6f6beaa34042a42e6c278bb5129bde8872c5d090a033583c3469607fe4117624

SHA512
10b7c64e1921c0dc659deaac6f57142bbc356bf5e8ad82a1de599333dd5baa59a0b507eb8b4d2c465cdfb2189db1a2182471eae349f22cc0e444343bbb479cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AYZZE35H\afterhergafteroldfuckupbysomeonetointernationalloverfailuretounderstandhowfasterthenbeforetoundrser[1].doc

Filesize
67KB

MD5
c4701f6b6cb718b6eb6a7e17ad33824b

SHA1
a5e8f793dc6cff3243395b231bec53fe74812bb7

SHA256
dd12871d16f6295e4d41da4b96a12e0c4e9b63a9faf9627520ef04070bce7c92

SHA512
ed7b205584e374b24331959409fb35c4875ac6334d3e2931e4984d203f1c00ed69fb8103796e4b19b75fa13cd9bb7ea53dce341872ecbddda56ec84c7f30e3a7

Download Submit
memory/3648-11-0x00007FFD7E260000-0x00007FFD7E270000-memory.dmp

Filesize
64KB

Download
memory/3648-1-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-4-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-6-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-7-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-9-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-8-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-10-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-12-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-0-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-13-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-14-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-110-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-16-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-17-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-18-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-19-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-20-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-21-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-22-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-23-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-111-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-5-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-15-0x00007FFD7E260000-0x00007FFD7E270000-memory.dmp

Filesize
64KB

Download
memory/3648-113-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-112-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-109-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-108-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-65-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-64-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3648-2-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/3648-3-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-39-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-45-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-32-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-44-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-42-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-46-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-36-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-66-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-41-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-38-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-40-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-30-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-34-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-121-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4232-122-0x00007FFDC08D0000-0x00007FFDC0AC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads