71533a30ee9f92a67081b457464ec85564d0b6b1bf38004091305ca3ee70ab75

Analysis

max time kernel
76s
max time network
113s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/06/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de compra.xls
Size

398KB
MD5

feadbeab04cafce5ef327b3c712019b7
SHA1

fb0ad6fb394d7098b176fcf72f4bf392010ec2d9
SHA256

71533a30ee9f92a67081b457464ec85564d0b6b1bf38004091305ca3ee70ab75
SHA512

cacd9712b56ee21d16c19e9e09f4c8108bc14ab561f215060a2210cb7dcaf80e6fbb418bb0658ac755521bea868a9d0d7f74a5a51e8da2dec8ea793b5f02ba45
SSDEEP

12288:9qFzu4LjCgPGp3m5JmKGcBE/7xjjijt4lOhiN/Xne:azu4LjvCI4VzF2jlhyve

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
596	EXCEL.EXE
560	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	560	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
596	EXCEL.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE
560	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1560	560	WINWORD.EXE	78
PID 560 wrote to memory of 1560	560	WINWORD.EXE	78

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:596

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
bd8ab302c2a4f71ae273d638a185fc5e

SHA1
518f300d427a642ad45dacec31e75bb6570439fe

SHA256
bc8d69eef1cf73c1b2900dfa80bb9aae47c428bfbad4f901fef599717be5f98b

SHA512
5645af08e5dbf5933455cb4ea38924db39dc3a4ea9be768bbe3076eba2075ccaf1223b395efa150d5496cc615ba708bbfac31ccfbe5c07be6f2fad03cb01a986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
55bca5e2037bc781ea8a1e2149d864b8

SHA1
009402eb20075002965e6b5e8930183dc7355ee4

SHA256
ca372187b9746721f0c9bc088c138c0c31bc384d379c610173813c992c1533d4

SHA512
bcd215a716e48963123eb87f6a84421f0590b45d57c4c809dced4b1c9e77b5171be5350439ff60434cb3bd5fe71de5ffb6654bbae3585ed8ca1e963360ce58e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
06439552ef0cd0d4d78a7b41e11171ee

SHA1
b878063a10fc79efbfda5b311567879113d1ec3c

SHA256
47ea5d9c98da0c1f73e292c0b8efb7e4aee8d0d51f471356bfd9205d676f2604

SHA512
b48f866389ce3b58d61fdb2784a34e73ae5247f707ba52dbe4eda173c37583783f70e0186734246ddf7310acc725b9bdbb2661401841d4eaf947aa3188c4e437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7B41EEB1-DC22-427D-A890-290891A3B327

Filesize
161KB

MD5
bebd8dba29dffe629811acf66258c6b8

SHA1
ba6c79397178847e7124939b6c5bdaf0a0090d7a

SHA256
8eb2ee91fb00efe1ff46aab1f7e2cfe022f110abd2b62a71914407839903cd3f

SHA512
7f8382c63d20c5dd40e8ac79d30ef693eeccd87a9eb0b1846fdd1d6f0139a76a53517c8d5acbdc9b9972ae9096f09e627a201cd80acd48f50d0d349a1bccecee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
b338569fa7cffb6bb2d7ce663d8fc590

SHA1
4d5f4eb243fd6f373b42b80b9d8c9be65c8052da

SHA256
b85f0b3c527267d5d40c77779660fa76c1ef113f32dc70ba58b4368b2413785b

SHA512
90facac916258c95a35ec5ce3d50db1cb3b3b085235b697281341ab9e0ed07f96bc6783d9ff01062eac1cfc1e874f7736c331ba6d038cd7b2e9168f66c44593b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres

Filesize
2KB

MD5
f0bc257d86d50edb0f7ca2d8427060c1

SHA1
646f2a1dc8e6ad4e4404b4a240fa82948dadc8f2

SHA256
74e0936300dd27abe1e621d25c92d4a8d91fe537669e9c8b4e162bc713e06267

SHA512
de3fd7001158b7631c5f1914799eb1625cfa03138ed057c5e5e2f26ad94ba2c540a5b1311da70b8395d7c4dc066d89dbd0b07cbef18cddee1302f60622dade71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7GTPFJEK\lionnsisthekingmakerofthejungletounderstandhowlongthetruthgoingtobehideiamtransferingentirepowertolion__heistrulyakingofthejungle[1].doc

Filesize
43KB

MD5
20d369963aa62c1085bc7282c111c410

SHA1
4520e4bae9d15af480c4347abbee95b255fcdd6b

SHA256
dd31b9a658a0172da4b5a76b5529e5b0c96dd6949cca7fee2f44c4e3039fccef

SHA512
79bd60bd35f06e955797658ec3cf3d78c74ec25e7fb19120e1e88b019d1041028671e0a2c1038157ed64d1d58253ec316450c2208d0a8801bd32ad11670e5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE64C.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
833e7b970627444f7e9861d1b73f0554

SHA1
9c757b1bfc2b688443924835e33599dc46fd9d3a

SHA256
833be5e9de7c2411285f2dd89940d68a6c840099db0bcfe466ae1cda364192a7

SHA512
6a1908290bcadd6528819e9d8a41ef209ed5a9063a31baa3f878a912dd900df91eee90d1fb097462c1d0c8f63607e5eecb048beaf18ce1e9cc412b17f6b44457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
f73422bc0b3d6498570561c6d279ee9a

SHA1
2fef06bfb16201d692a32eec2581b6080f83e7fd

SHA256
202ecdee508d09c8c5fe104663d9d8b842a90f7ea0d5d5fc0bf3a6737a26fd39

SHA512
c2b88b227d1dd40ab2bd556e0bafb29d86a56f49bca8761b0728f1c306967a0c64ab3201c2fa53097cb9a658170e68735b660759cea94ed14aa8a8e83eac16b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
bd90f0e5d3afe9d96524ee581eedf6be

SHA1
d7adc8374731163a893c325dea2e4b900ff2ba7d

SHA256
4ddd9fe3239a21be29207d9f8fa1d641158907c3611f03221a5d1de83c44b697

SHA512
87920a98a41a9598be4304b4a42e0f4eb358ae1cd73a9f736d83f2f2a3741a8beffb55b72eebcdacd345fb83d7186b372ab1f6a91033c015dd15f82934a7939f

Download Submit
memory/596-12-0x00007FFA60F20000-0x00007FFA60F30000-memory.dmp

Filesize
64KB

Download
memory/596-14-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-15-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-17-0x00007FFA60F20000-0x00007FFA60F30000-memory.dmp

Filesize
64KB

Download
memory/596-19-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-21-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-20-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-28-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-27-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-26-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-25-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-24-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-23-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-22-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-18-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-16-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-13-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-0-0x00007FFA63A70000-0x00007FFA63A80000-memory.dmp

Filesize
64KB

Download
memory/596-11-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-10-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-2-0x00007FFAA3A85000-0x00007FFAA3A86000-memory.dmp

Filesize
4KB

Download
memory/596-3-0x00007FFA63A70000-0x00007FFA63A80000-memory.dmp

Filesize
64KB

Download
memory/596-4-0x00007FFA63A70000-0x00007FFA63A80000-memory.dmp

Filesize
64KB

Download
memory/596-8-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-296-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-300-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-9-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-7-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-312-0x00007FFAA39E0000-0x00007FFAA3BBB000-memory.dmp

Filesize
1.9MB

Download
memory/596-1-0x00007FFA63A70000-0x00007FFA63A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads