Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 22:35
Behavioral task
behavioral1
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win10v2004-20240226-en
General
-
Target
informe bancario y motivo del pago rechazado.xls
-
Size
30KB
-
MD5
40e068be98ea0b6ca31af370328840b6
-
SHA1
11e7096e6268536aa7e80e6f87c0c7815b067566
-
SHA256
d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
-
SHA512
d7f114e8a91535e98a2ff1c492879ccb9b4979e9cfcfaab612cc80bb88c80f55f15bbc0dfc080175f509dd282c43712b60990dd1eed9cac84d0c4e5283f5a8a9
-
SSDEEP
768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4288 EXCEL.EXE 1424 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1424 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4288 EXCEL.EXE 4288 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 4288 EXCEL.EXE 1424 WINWORD.EXE 1424 WINWORD.EXE 1424 WINWORD.EXE 1424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1424 wrote to memory of 4620 1424 WINWORD.EXE splwow64.exe PID 1424 wrote to memory of 4620 1424 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4288
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4636
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E1E03BAD-9713-444F-BB97-53EB33F03E9A
Filesize160KB
MD5bfd7b5bd841a32557bfe56e81d89be09
SHA18ab2e5e9d52d073a680078158e3efd781c505a5c
SHA256f65e653aae6938c9b435fd0be23015e03eabddef1cba67d90d4f31cd1a6ec075
SHA512274e30854e1e26aa58c1bfe53f0bf6da3dc53218b99712f48a8738f6015261a474658dfedec7f4076c9f49bafd8ca1d9ddb2458919407daeb0bffe92c50847e2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD53f23443bcd5ceb19acbaf39496d1cbc1
SHA1d8c3dd56357b7ef7305fabe9f89a223200c965da
SHA256d357e15ecebf0375b5155310b77c604eebd1ebff73b34a66d0900ac702013614
SHA512e55e479bde584db46bbe5e93ca2b35651677dce7af5b5f1a0ba0ee19ee0b8e60101b721a0d5a37e3aa44ea21207af6e32e265e23c5e6c7cd234fd758dc64fc09
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5511d11f27624c71b8c6bcf2acc06df31
SHA16dbf2aba5e0c23757615d8e2361f6b522830ad9d
SHA2566519cd07674b28b4101ef880d4d113f458c3572af610a86afc0908840e9a3014
SHA5127684cb185dccc6a6762ad5cd9f127270dc543fc30989a951090cca937e42539f9604ba077ec7c07094f5f370e505343f70a9b1f9f58a3b99da9fc6b18f4e9b78
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KPYHB2C1\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc
Filesize69KB
MD590454adfffe4a15a04a97ad173fd2ca3
SHA191b00307970f914356907c4e9655e68efa6515fb
SHA25682e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA51228dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8