71533a30ee9f92a67081b457464ec85564d0b6b1bf38004091305ca3ee70ab75

Analysis

max time kernel
99s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 15:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Orden de compra.xls
Size

398KB
MD5

feadbeab04cafce5ef327b3c712019b7
SHA1

fb0ad6fb394d7098b176fcf72f4bf392010ec2d9
SHA256

71533a30ee9f92a67081b457464ec85564d0b6b1bf38004091305ca3ee70ab75
SHA512

cacd9712b56ee21d16c19e9e09f4c8108bc14ab561f215060a2210cb7dcaf80e6fbb418bb0658ac755521bea868a9d0d7f74a5a51e8da2dec8ea793b5f02ba45
SSDEEP

12288:9qFzu4LjCgPGp3m5JmKGcBE/7xjjijt4lOhiN/Xne:azu4LjvCI4VzF2jlhyve

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2052	EXCEL.EXE
1512	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1512	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
2052	EXCEL.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2880	1512	WINWORD.EXE	96
PID 1512 wrote to memory of 2880	1512	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
bd8ab302c2a4f71ae273d638a185fc5e

SHA1
518f300d427a642ad45dacec31e75bb6570439fe

SHA256
bc8d69eef1cf73c1b2900dfa80bb9aae47c428bfbad4f901fef599717be5f98b

SHA512
5645af08e5dbf5933455cb4ea38924db39dc3a4ea9be768bbe3076eba2075ccaf1223b395efa150d5496cc615ba708bbfac31ccfbe5c07be6f2fad03cb01a986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
be0f80225826889a820e84d22d8b3438

SHA1
7dfdd3ad6d5149b1e6a0f1aec907b947a1248087

SHA256
13b3a9d744988146e7c4d4cd27c4b2cce75495fc39cb90d8df16ff80438ce1e1

SHA512
6124217bb9f9e793da57f74ad7f852d2552b0f6ae1448a710b4356db2359798540f4b25506300307c48be3b1f2ad3b65bc8776072a028ed6aeb5cbea22785975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
552511df3047f2d36ecf466fecbe2b6c

SHA1
bbbd5138655eff4e9d8a1f35ab6246b99012079a

SHA256
4de1bc3ffb514a084015233d1de813fb206fcb723a26154ef0f21aa266441beb

SHA512
6d0099b31df926da58baf1d7182076c33df5f6bf4db0c4c6b9ead433d85d028ca1e813e827783d514700e358b341e7e17230d3aec8dee30cfa225aa87a981566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
eeda7d31b4c7020ab5d7abf812525e9c

SHA1
816acb7b8816e198fe8b343b693211dc34c5f9b5

SHA256
c7d716a6d6e64957cfb983d132d8d93b4ae6bb498878be46c1ff611594ae6822

SHA512
34a919dad94d24e6dea21fa0c39a2849395ef0de25b6bd794f0d792a39a76c1f7862002af0c95f112752c6d6bd0d1bdc660f8333c174defe22f6618d4ab07586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
35c472b65ff4590642fd65f65c7c4b65

SHA1
d29037e7d964443e2650ecd397706da78406ba3c

SHA256
b8579b5139ac17ae6a7dee39d12e8bfa2032c18acf46e3f09b40ba2d35486411

SHA512
6d3bec9ca6bde0bbb0266631b27341a5e7fc281915e6b3d3ed6d87a56eb2d93d584a513d3f9a5fa6ee1c5d86f72d35622cb1c93ca205d2e75bd7e54db9be7b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C1571069-0DD8-42AD-B1E9-3129F51B674A

Filesize
161KB

MD5
73a6b5164ff14d182baee8936496f948

SHA1
7d3561f1953931726077856ce6fd0fca4bbb0050

SHA256
48b62f1b49505e56b7a4f3934b956990fcabfe6f17e6ee9f1e73e961798b88ac

SHA512
471f49103ff35778c123b07a3d3016042816f04e1d05d6588b7bfb31394dacf8a193a7ecd0ab5e0733010611177f3e9ceb1aa679db6ecfabdbb71d7ea3e66d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
619088292bcc04b31f05e8e63999b6dd

SHA1
06c52d0980022bf179bc892d07aa398a0834f907

SHA256
88553e4da32bbd9291e4cb41e9dc49f363a514343c1c6ea021fcf54dc70e8c45

SHA512
4a0b209d4c89c65a2e6b73f2d3bd4ee1b96dab1d7f54b95b2b5398826b231c124013f4cd52d61918e52b3df74d4dab217794892765a2386cb3cd7e3888d4d610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
89db0bf01dd0896c9a9de8809cec2b1e

SHA1
497c1e2eda3a2eae3d135d705ca45f3c42f746b9

SHA256
b1c630a82d883abdd9f0ec8f86584aa5fb68114051842ed027d666b3107a6ec8

SHA512
87e8c949abc46f65c8af8a5a193f486b0c7173ca93bc62d7cfb8b289c339e5d38451da4f3339944f56a7e1f9c84477e56da1673982c79eedf1ac22245a9d606e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
0ea4bc84492508f7d145331819021b7f

SHA1
25d147f34436b20aaf4134c166680146a5978561

SHA256
ce9cd5c26204a8f6fc49628b19f8257120999ed9141ac893c5d551a9f7c94583

SHA512
2c3db5a22fd7d4cfd35963eda54869d7e611d28bc1e462a1613abcb038dae12e25474388415a73c0d6ce22f027917d2a583d63b0ed1c89c54cea3ac3c30ff729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K7TNQP8W\lionnsisthekingmakerofthejungletounderstandhowlongthetruthgoingtobehideiamtransferingentirepowertolion__heistrulyakingofthejungle[1].doc

Filesize
43KB

MD5
20d369963aa62c1085bc7282c111c410

SHA1
4520e4bae9d15af480c4347abbee95b255fcdd6b

SHA256
dd31b9a658a0172da4b5a76b5529e5b0c96dd6949cca7fee2f44c4e3039fccef

SHA512
79bd60bd35f06e955797658ec3cf3d78c74ec25e7fb19120e1e88b019d1041028671e0a2c1038157ed64d1d58253ec316450c2208d0a8801bd32ad11670e5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDCDD3.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
229B

MD5
833e7b970627444f7e9861d1b73f0554

SHA1
9c757b1bfc2b688443924835e33599dc46fd9d3a

SHA256
833be5e9de7c2411285f2dd89940d68a6c840099db0bcfe466ae1cda364192a7

SHA512
6a1908290bcadd6528819e9d8a41ef209ed5a9063a31baa3f878a912dd900df91eee90d1fb097462c1d0c8f63607e5eecb048beaf18ce1e9cc412b17f6b44457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
61aa8a18de906245d8c7b92a228de774

SHA1
2e22d451de93276a9bc4f4c4591a997f4ab00ebd

SHA256
1f30d0f865044fc415ba2faf1f5da081cae1024364d5c71ecabfc578bf968f48

SHA512
5cdcc4a5964dd86afbdd7e561b131f91ceaf2550d832718c5842aee9505731b1e0112df5212283b2f248799f33f0015865182c4ce4d1f53fc70d09175c2f26ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
e8a45cb42698ea18d63b6f696daa201b

SHA1
e668decac94527eb4cd6e9478dc9f8c8eefdad24

SHA256
064a844739d56808bf86b8258abf66460512713ea31b5f9adaee4dcf86d6b1e4

SHA512
ca2ea61970bd517c2d3ca147b14b05f747716a34f8ca76a278d463d1683de5e57e4b2f8922684184b8f34b8c7c9b30b2bc7dca81f57d0c7578809e06e52265bc

Download Submit
memory/1512-50-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-51-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-633-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-630-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/1512-631-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/1512-632-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/1512-629-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/1512-583-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-52-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-48-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/1512-49-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-11-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-8-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-20-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-10-0x00007FFE26870000-0x00007FFE26880000-memory.dmp

Filesize
64KB

Download
memory/2052-14-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-16-0x00007FFE26870000-0x00007FFE26880000-memory.dmp

Filesize
64KB

Download
memory/2052-17-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-15-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-5-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/2052-12-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-13-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-7-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-9-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-0-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/2052-6-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-642-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-2-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/2052-1-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/2052-3-0x00007FFE291D0000-0x00007FFE291E0000-memory.dmp

Filesize
64KB

Download
memory/2052-582-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-21-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-22-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-23-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-19-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-18-0x00007FFE69150000-0x00007FFE69345000-memory.dmp

Filesize
2.0MB

Download
memory/2052-4-0x00007FFE691ED000-0x00007FFE691EE000-memory.dmp

Filesize
4KB

Download
memory/2880-90-0x00007FFE41A30000-0x00007FFE41B09000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads