Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 20:00
Behavioral task
behavioral1
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win10v2004-20240226-en
General
-
Target
informe bancario y motivo del pago rechazado.xls
-
Size
30KB
-
MD5
40e068be98ea0b6ca31af370328840b6
-
SHA1
11e7096e6268536aa7e80e6f87c0c7815b067566
-
SHA256
d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
-
SHA512
d7f114e8a91535e98a2ff1c492879ccb9b4979e9cfcfaab612cc80bb88c80f55f15bbc0dfc080175f509dd282c43712b60990dd1eed9cac84d0c4e5283f5a8a9
-
SSDEEP
768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2448 EXCEL.EXE 4588 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4588 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2448 EXCEL.EXE 2448 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 2448 EXCEL.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE 4588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4588 wrote to memory of 4888 4588 WINWORD.EXE splwow64.exe PID 4588 wrote to memory of 4888 4588 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2448
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1B2935FD-DFD1-4F34-A4AC-4E50F8015D73
Filesize160KB
MD5c2783ca77ae3be9bdbdeb990b7e478f1
SHA164c1543904724e751f982d66cdf9ecb0cd7b5a98
SHA2561a16626fdc6ef90e8ef751620cadc197ec29c4d2558fa0a513428411317b3934
SHA5129ed36642978807d714c2ff7713e3b11bfb3fa124b2e8f950018f90362ec69144db98cff3e7cd758992b291af69190e2055887506b61194c938d1251899f85024
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51528d1e78fde87b0f12334acc58617d7
SHA12fdc21fd7677b096c0656f10d784f3d1f9324b6f
SHA256ba53883c9bc671943de9e4b6d57e39a1e8b0ed48fd5a12588c133d19d3d0754e
SHA5128fea2c54bba1da522a8d49a221e077046c9fda0e015322cb3189f6b9c37cc851e0b9f4c351158e3beafabfa9888e3b4f1f239ecd5462ffe207072891bedcb7a5
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD51d5fc97e4efb363f513a73497ca300f2
SHA1512f4195c889729d59dab3e8a7e970b751f366ba
SHA256f73a53cfb817bf4dab89995ce09d4c58b91416bbb718afd9e08d91cccae203da
SHA5124836b6ef91ede37a7f430df359ff11e1e3c9c5dc67638d48853997c3a4d56e84a2349c1e3a5402c699ec0013001ff60bc062b91df8caf822350ef0f0fa2cdbea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc
Filesize69KB
MD590454adfffe4a15a04a97ad173fd2ca3
SHA191b00307970f914356907c4e9655e68efa6515fb
SHA25682e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA51228dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8