Analysis
-
max time kernel
59s -
max time network
26s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-02-2024 22:30
Behavioral task
behavioral1
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win11-20240221-en
General
-
Target
informe bancario y motivo del pago rechazado.xls
-
Size
30KB
-
MD5
40e068be98ea0b6ca31af370328840b6
-
SHA1
11e7096e6268536aa7e80e6f87c0c7815b067566
-
SHA256
d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
-
SHA512
d7f114e8a91535e98a2ff1c492879ccb9b4979e9cfcfaab612cc80bb88c80f55f15bbc0dfc080175f509dd282c43712b60990dd1eed9cac84d0c4e5283f5a8a9
-
SSDEEP
768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2684 EXCEL.EXE 4624 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4624 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 2684 EXCEL.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 2684 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4624 wrote to memory of 2652 4624 WINWORD.EXE splwow64.exe PID 4624 wrote to memory of 2652 4624 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2684
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5cf65545a3e810342fd532d786185789f
SHA13c8fefdc80bf006df7181c5405bd27a9e5412be4
SHA2567b8e810108ba872f8a75a05e407b087e33e58f19d509b84914235d066cc7b54a
SHA51245a2bd25b2e1db7c54388b6389b8d6b43c66c0a7b500b0603babd528f82e7057490bb48a56230228125086025a325fe836f74e66143d0fb9ff8a43557d603d21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5acfb29915c3d9d068db6f8f2472a6d22
SHA14cd457d0be338aeab7c3bf40cd9c2307c87f61b7
SHA2561354c043d9f2ed2b007217de4809b1f4798954e2241fc5c933365bb2e295eb34
SHA512493ab23d0c1a9f9c04908698532e5a37388fca40c159569d9749a8f9834de0e21cccf18b0600d80e21765f560bfa04152a970e248679f336c27b6139b1b82df3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\551E68F1-301D-4C14-939B-96A0F9955DFD
Filesize160KB
MD510b2bebc43078948fc088c0b03324f79
SHA19fa4cf675fb2c9509c6b4da6458f5ba65aff12a5
SHA25656375b41f1b77f0c110066b570c0b04bf4aedd961cb1df9638d4b8b6b5a22fb1
SHA512722e4de7dc5824022a7673a7685af7de2428327e09514a7ba026823c694a7f17782e0bf31c91137f5a55f852c2ff68d051cbfd916692a97c138859be31507fbd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOG26WIK\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc
Filesize69KB
MD590454adfffe4a15a04a97ad173fd2ca3
SHA191b00307970f914356907c4e9655e68efa6515fb
SHA25682e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA51228dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8