Malware Analysis Report

2024-10-24 17:08

Sample ID 240229-2fa8baeg69
Target informe bancario y motivo del pago rechazado.xla
SHA256 d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
Tags
macro xlm
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a

Threat Level: Likely malicious

The file informe bancario y motivo del pago rechazado.xla was found to be: Likely malicious.

Malicious Activity Summary

macro xlm

Suspicious Office macro

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 22:30

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 22:30

Reported

2024-02-29 22:32

Platform

win11-20240221-en

Max time kernel

59s

Max time network

26s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 2652 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 4624 wrote to memory of 2652 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 104.21.69.44:80 shtu.be tcp
US 104.21.69.44:443 shtu.be tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 192.3.95.216:80 192.3.95.216 tcp

Files

memory/2684-0-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

memory/2684-1-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-2-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

memory/2684-4-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-3-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

memory/2684-5-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

memory/2684-7-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-8-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-6-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

memory/2684-9-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-10-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-11-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-12-0x00007FFD24BD0000-0x00007FFD24BE0000-memory.dmp

memory/2684-14-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-13-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-15-0x00007FFD24BD0000-0x00007FFD24BE0000-memory.dmp

memory/2684-16-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-17-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-18-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-19-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-20-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-21-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-23-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

memory/2684-24-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-22-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-32-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-34-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-36-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-37-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-39-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-41-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-42-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-44-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-43-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-45-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-46-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

memory/4624-49-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

memory/4624-47-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\551E68F1-301D-4C14-939B-96A0F9955DFD

MD5 10b2bebc43078948fc088c0b03324f79
SHA1 9fa4cf675fb2c9509c6b4da6458f5ba65aff12a5
SHA256 56375b41f1b77f0c110066b570c0b04bf4aedd961cb1df9638d4b8b6b5a22fb1
SHA512 722e4de7dc5824022a7673a7685af7de2428327e09514a7ba026823c694a7f17782e0bf31c91137f5a55f852c2ff68d051cbfd916692a97c138859be31507fbd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOG26WIK\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc

MD5 90454adfffe4a15a04a97ad173fd2ca3
SHA1 91b00307970f914356907c4e9655e68efa6515fb
SHA256 82e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA512 28dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 cf65545a3e810342fd532d786185789f
SHA1 3c8fefdc80bf006df7181c5405bd27a9e5412be4
SHA256 7b8e810108ba872f8a75a05e407b087e33e58f19d509b84914235d066cc7b54a
SHA512 45a2bd25b2e1db7c54388b6389b8d6b43c66c0a7b500b0603babd528f82e7057490bb48a56230228125086025a325fe836f74e66143d0fb9ff8a43557d603d21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 acfb29915c3d9d068db6f8f2472a6d22
SHA1 4cd457d0be338aeab7c3bf40cd9c2307c87f61b7
SHA256 1354c043d9f2ed2b007217de4809b1f4798954e2241fc5c933365bb2e295eb34
SHA512 493ab23d0c1a9f9c04908698532e5a37388fca40c159569d9749a8f9834de0e21cccf18b0600d80e21765f560bfa04152a970e248679f336c27b6139b1b82df3

memory/2684-67-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/2684-70-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-71-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

memory/4624-72-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

memory/4624-73-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp