Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 20:00
Behavioral task
behavioral1
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
informe bancario y motivo del pago rechazado.xls
Resource
win10v2004-20240226-en
General
-
Target
informe bancario y motivo del pago rechazado.xls
-
Size
30KB
-
MD5
40e068be98ea0b6ca31af370328840b6
-
SHA1
11e7096e6268536aa7e80e6f87c0c7815b067566
-
SHA256
d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
-
SHA512
d7f114e8a91535e98a2ff1c492879ccb9b4979e9cfcfaab612cc80bb88c80f55f15bbc0dfc080175f509dd282c43712b60990dd1eed9cac84d0c4e5283f5a8a9
-
SSDEEP
768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4532 EXCEL.EXE 2968 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2968 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4532 EXCEL.EXE 4532 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 4532 EXCEL.EXE 2968 WINWORD.EXE 2968 WINWORD.EXE 2968 WINWORD.EXE 2968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2968 wrote to memory of 2840 2968 WINWORD.EXE splwow64.exe PID 2968 wrote to memory of 2840 2968 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\informe bancario y motivo del pago rechazado.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4532
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F9FED3B7-5152-4EC3-95E0-5C013EEAD39E
Filesize160KB
MD5b76b4ffcf9cd12d4a02a80a8465513cb
SHA1a71f4abc67ccb1f919bfc0ab8f365ae576845f10
SHA256b36bacd0a4ece2e3c78ccafac594ea7b93549d2528a492b0cbb1eaf73895eb3b
SHA512ad79df9c394815e08884c601a21875807944f569d703194137e754471c3f1c52e7b520d77e1e4b371fceacbca13767b7ef778b7555963d2d1874c208300f00f9
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5c5036e16e7ca2ad5b2144308aa8d12f2
SHA1369b3202f1e671638732bf8285a608d3a6ef494b
SHA256259a7335cda9db8ebe97ebf35ac4b0f84c2352f64844298bcb319ecfbbf2b5fe
SHA512b20795b20abd16ed90a35dba4f00f67675ac422ab36c9f817213ed89ffbf9f060be468b7663cf7d262f529a32e7fb5c2e52e7265dfae5a336a28018f6f5faedd
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD529fdc93f96fe906bb6dedd239350add9
SHA1ce6fec987c54ff0b9b1380a129758b8369c73710
SHA256ed0899d8f2271306149d8541553e11cac2a828afa6057b11fff32f41eca43ca8
SHA5129b1aebb09823621b0f57aec3dfcb02f030035844754df77a99c1410d6b476bf752b86d49b3a26fa232650c669e26f917fc8ef607a1a77a466f12b9a7484f9234
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20RAD7Y0\mrngunlockurpurelovetounderstandhowimportanitsitogetreadyforlovetogetgreatlovertogetgreatlover[1].doc
Filesize69KB
MD590454adfffe4a15a04a97ad173fd2ca3
SHA191b00307970f914356907c4e9655e68efa6515fb
SHA25682e52b61e68ba6d8644476c6b23061b528053aa8a8d1f9fd85979a77f02e7edd
SHA51228dde52c89e79c52ce5a03a582aa537126e2e57d26622f977356eac9533a14e37e4943b845ae68e2393267e66a3a3ce81873ecabe4ee6994974997a15b87d6e8