Analysis
-
max time kernel
102s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 10:40
Behavioral task
behavioral1
Sample
Documentos de env�o DHL_987654236475869776875465423422343232345341134.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Documentos de env�o DHL_987654236475869776875465423422343232345341134.xls
Resource
win10v2004-20240226-en
General
-
Target
Documentos de env�o DHL_987654236475869776875465423422343232345341134.xls
-
Size
30KB
-
MD5
40e068be98ea0b6ca31af370328840b6
-
SHA1
11e7096e6268536aa7e80e6f87c0c7815b067566
-
SHA256
d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
-
SHA512
d7f114e8a91535e98a2ff1c492879ccb9b4979e9cfcfaab612cc80bb88c80f55f15bbc0dfc080175f509dd282c43712b60990dd1eed9cac84d0c4e5283f5a8a9
-
SSDEEP
768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1664 EXCEL.EXE 3516 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 3516 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 1664 EXCEL.EXE 3516 WINWORD.EXE 3516 WINWORD.EXE 3516 WINWORD.EXE 3516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3516 wrote to memory of 456 3516 WINWORD.EXE splwow64.exe PID 3516 wrote to memory of 456 3516 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documentos de env�o DHL_987654236475869776875465423422343232345341134.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1664
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C12FAD09-E706-4D09-A885-FAC48D753448
Filesize160KB
MD55939a2305e54c886bb9fb2ea8c067fa5
SHA14d4e34b2c4030114766e765995c1890894fecfae
SHA25694c962644608f7b0ff2740d8da072a8d70d23aaeb60b7891d700fd0ed0e49750
SHA512686a491fd33b63522f1c83c9c5bd53d7cec45cb878008edf8765422152eb3d3e23dd56a42bee12497427153cf45247716f965a52248bb3312b671f98907aacac
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD54ed85476715af1ddaf3098ee50f584c7
SHA10fec1d985dae6ed93c7c5e6230f66d06d5b19169
SHA256682fde8ce0a078e12e67fd31b4bb10eecf94bdfe37e2867431fc6dbcb03ed781
SHA5120ef28c1256ce0b384e79d44f8e09f6be3c379a3298ea8be1c5864de9f381bb9fb9eb8e718fc6cc233823347151b517619dec2fac1be3dcdf44ab4922b78a0fbe
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5cc91e1a600efa5fb637281c9149fc83b
SHA1f4684be8860c2839d0a5057fdbcefed14181b58b
SHA256e2f44439a43cf7193cdd14810bf60b5bb5de608d7c96e7aa96d129529d08cc56
SHA5126c7c2f415181aa0909602dec382b4955843262f59bd17881db5900d9c4614cf18fcb1be6311789589c1e8f32ae69d3a922ca90cf607e10631eae5060128921fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YRVVION\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc
Filesize69KB
MD590454adfffe4a15a04a97ad173fd2ca3
SHA191b00307970f914356907c4e9655e68efa6515fb
SHA25682e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA51228dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8