49042e86af4503a917b8408c4faab2759688065a429015a2c90430fa7371291f

Analysis

max time kernel
244s
max time network
280s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropped Malware/Comprobante de pago_978989689.xls
Size

170KB
MD5

d0055b08c9a93f662b3a234a984ceb2f
SHA1

8c6df2ae8820912744ce8b717604399bbde46a66
SHA256

7203e2e674817c3cc2080d810a2e09323100163a1bd8f8d4ffbf5b9b1729b9c1
SHA512

d01d458aeac1c9d027b05af24e51984004d3800d658af7e77798e8352059db2c22377775c7cadf94940b8c4622f501181c40006193d7bf96f97dceb041d1b88d
SSDEEP

3072:y8tq3KR9pLmLX6MOXG0A6OM1Qr6tjtmTgY3A1bPjbw2wB5bFJvqNX:y6NCLX6b2ctjtmT5uE2wB5vv4

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2888	EXCEL.EXE
1664	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	1664	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE
1664	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 5100	1664	WINWORD.EXE	79
PID 1664 wrote to memory of 5100	1664	WINWORD.EXE	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Dropped Malware\Comprobante de pago_978989689.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
848aac0cb4e72e82edc44095735ce8ee

SHA1
461e0897b86390f46de0a5dc29d6a41a4d8e9f73

SHA256
4a8a08914890cf55e09ea295540e3a13a7ef791fe21d4612b200c3d8ef0fdf59

SHA512
c3219a01d23fdb270df47c78d5ece4197822af4fb1a244644edd7133f5b55f85909a392d9e73880b22907009da27a9f06439ee0610e48c78a5b664b5d36a5138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
04879e8dfcf79c5cc5ed73c335436218

SHA1
e84947196eae7740d3443f3da14999a1728dc388

SHA256
6acb978484b40cec1fccf32637df7fa84b6be25d3381da6c0d85a56103cea713

SHA512
4c972effb33bd0f597d5469308de6f3acb1e7ddab7efae2a353578814463c44b86fc2251e5474195450fd5b500eb183a72a2b01ca6dc219230dd99a14b484d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f0eed1be35d611395912262babdc157f

SHA1
8e72f37403cf55a9828d4441262c978dbcb35f21

SHA256
5468288890d249ef2f1163897dd817b0fe78aa48569e69e27b1315fce7a6339f

SHA512
98c7cd5730a62fe810d200a23f0d7b47fb1c538304174baeae0c2d8856bfab926d698779234451b48b459fb9e3f1ffdbe7947f7b2897236039b4dcddee72438a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
efbeb9cd5afd1ba5a11c64c64a49e960

SHA1
882c48c768841f6ba4a22a00d56a52f3d7bcb5d2

SHA256
5ce9d9f79641a063e622d92be9ffb9c98ce337d1f8a60fc7629b3370554addc7

SHA512
d40e6ce86bad72b56e08ffc65141a7bffdced12188ba6731303f8a94068564e32cda2623f9ea1f9a1134fc86f8020fe9ac35497f94b8ca921b417d7aa0675b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
87c3a956a1f806ff3e5ca8fe6eebe3ce

SHA1
5e7fdee0b920e00727224ffc9b58f2d2384b82a2

SHA256
d88079d0745c348ed66f133f5c879504b5c500f2c866f339e0226e848d6ce6a8

SHA512
401da2bacd64e0473acf91711fda15dc08ed853013a8cc377096c50885bc2565e11a3127b8a8a861422baa2fabc2d3cb63ef5cada04962a1870e77128629a41b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\357607E8-6FB3-4357-8EC3-C160C437B6DF

Filesize
168KB

MD5
5b467e7e2b2289ac1ec2c5968eb660f8

SHA1
929d43dcec8ecb5ab4d6a6228a84bf66036cd97b

SHA256
95f86bc4e4b947d245a261a10bf6205740303ff527865150f2ec6ebdd6e2deca

SHA512
b9f0dd2730e8c0ccb29ae8171e60ea5afa9536141239d4b9509e02e417afeb5302d24fc90b4309a6f8acebb8c01032f16256e9365c0dc917660e506e6c6fc483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
57cccf80caef59bf8d515eb04135f946

SHA1
34c93806f34b15f06a029629d338fcd648d8ae0a

SHA256
7fe7b380df9a6549e7baed9158c2ce0fb933f9e1d0857236eaf3b85a1cbd5ce5

SHA512
789eb352bafdf319b59d75ebf5d85e549fcfb7519480880e677b5af9cd7a63de1028f3e244e6b4182a796d448da1a20559fd095d2abf78abbf3e10a2b473c971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8854872D.doc

Filesize
171KB

MD5
80e1ba7b421fd01f5319de00cf5420f7

SHA1
d63b993303e677d7bacd6ab4a11b03530ee1528e

SHA256
2ea7cb9bbd0fcad641bf6a0469f23c51786e1c0264b769a8ba0d5c5ff614b7ba

SHA512
e6ae787adba0ba690170f54d7977703487381028223428810393e63221c0700bf567651ff8833ffdd98762190d4fddada6586941ec39cf00e042a7071ab6fc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC8EF.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
230B

MD5
4c9f19c57163c1ac57320d616a5c1680

SHA1
3027bcb042499de0f6328ac238c5da5e774c725b

SHA256
f15421695df5cbe3b60a1879a7a2151d759cdced91e6be372d53b705ae11e6b9

SHA512
a18bfe2eb943bec4e45aaf5270d6ba9564e78316c9ed40e12b687fecb9ab9fa3389768d2f75b0c8ee42b4806a420679b604635de1f23dbde75119414b3652cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
5KB

MD5
e08f51d3b3342317719385cfb092e5ce

SHA1
bd920cdea09b7305f10c5902ebb1e4c3b5d40056

SHA256
cbed71e21bfa52c42a65223bb2388ec93d62d261443f0640188979dc357e9287

SHA512
b629c41ce6ee8fdffef1e06d712c971cfdd7a589b559971b89a66072ab0932bf02005c0fddb652c81aaeaba65db65200d2eafc9c7cf3b3dad3660c9ff9a7dce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
228eeb603c2edf5b219c2eab80ebbbbf

SHA1
c0370ac73fa38a1d08927725a1128053376f392f

SHA256
4a99eccb1783be9ecc2c56503ddbd0eb741864d1984750303ecfdff43093c8fc

SHA512
126a17406954bedeca106f6cc3a432f9dea765f1fe2011c703e0237704221efcd8e6322c91589fb5efcca0bd8a7cceaeb80b62835bfe19aca47cba35a9d1c7d9

Download Submit
memory/1664-48-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-45-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-622-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-620-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/1664-621-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/1664-619-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/1664-618-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/1664-577-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-43-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-47-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/1664-49-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-21-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-20-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-2-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/2888-0-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/2888-3-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/2888-4-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/2888-5-0x00007FFB48563000-0x00007FFB48564000-memory.dmp

Filesize
4KB

Download
memory/2888-19-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-17-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-22-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-23-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-24-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-25-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-1-0x00007FFB08550000-0x00007FFB08560000-memory.dmp

Filesize
64KB

Download
memory/2888-18-0x00007FFB06330000-0x00007FFB06340000-memory.dmp

Filesize
64KB

Download
memory/2888-15-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-13-0x00007FFB06330000-0x00007FFB06340000-memory.dmp

Filesize
64KB

Download
memory/2888-11-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-10-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-8-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-576-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-6-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-7-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-9-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-12-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-14-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-16-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download
memory/2888-631-0x00007FFB484C0000-0x00007FFB486C9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads