e62a8640510e8a72b5f5b9115b94439df31cfe186970ce831fc2ac200605dcaf

General

Target

Pago pendientes.doc
Size

141KB
MD5

1eefd150be33d5969d86f5dd82774291
SHA1

383a690269b80ca756e98387d6fcb6f7b9ae6c80
SHA256

e62a8640510e8a72b5f5b9115b94439df31cfe186970ce831fc2ac200605dcaf
SHA512

692e502198fe40e08bdb58f9864051663eb661990c5f0bc2165a86d79f57f5354c5d17b45495cc1562b166222f5ecf45923a77c8310393f67884fac6f471aa5b
SSDEEP

1536:XuonbOonbOonbV2mW7T+Y7Tx/RvvRdvkRRFbBoW5zzyJZjgkZrcrcrcuu9AUl/nl:K1DYGoMACJOue3flR5Pq3HWn08XQYp

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3044	ITFRNLR.exe
2664	ITFRNLR.exe

Loads dropped DLL 4 IoCs

pid	Process
2544	WINWORD.EXE
2544	WINWORD.EXE
2544	WINWORD.EXE
2544	WINWORD.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2664	3044	ITFRNLR.exe	31

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITFRNLR.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2544	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	ITFRNLR.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	WINWORD.EXE
2544	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3044	2544	WINWORD.EXE	29
PID 2544 wrote to memory of 3044	2544	WINWORD.EXE	29
PID 2544 wrote to memory of 3044	2544	WINWORD.EXE	29
PID 2544 wrote to memory of 3044	2544	WINWORD.EXE	29
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 3044 wrote to memory of 2664	3044	ITFRNLR.exe	31
PID 2544 wrote to memory of 2964	2544	WINWORD.EXE	33
PID 2544 wrote to memory of 2964	2544	WINWORD.EXE	33
PID 2544 wrote to memory of 2964	2544	WINWORD.EXE	33
PID 2544 wrote to memory of 2964	2544	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pago pendientes.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
    3⤵
    - Executes dropped EXE
    PID:2664
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
dcdb204622788f3cddb1c695f56736ca

SHA1
d446ebc6fd71bea6d7b67844ca15ae91fa5b652f

SHA256
5cd62f97b93f983de7f42d63e26d77799e9467c5fde331b9dab5b7f82b423115

SHA512
3624144a6b51c0594729956d8ffd961f817064618be8dab01d646d1756ecaba0f14a743dd62718b3ab0affc4c72d84ac76b16f66388caf25e2e34f699eafe517

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe

Filesize
354KB

MD5
3badedb0adc943d55394c06b6e43e2c8

SHA1
7f6d929b560edf98f3256970ec09358510ef4441

SHA256
276874edc2fa8fab8faad76b95f323b6e01bea7a058053c4ea674adfc51c59ed

SHA512
9daed3c7ab544e90f82ea9c303c94f7967d80450d23d7582060d46996ef00b688db407f09a7d1c582801439e7f0f65a4149019b9c46959861e519761cde2634c

Download Submit
memory/2544-94-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/2544-0-0x000000002F6D1000-0x000000002F6D2000-memory.dmp

Filesize
4KB

Download
memory/2544-53-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/2544-54-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/2544-2-0x000000007323D000-0x0000000073248000-memory.dmp

Filesize
44KB

Download
memory/2544-111-0x000000007323D000-0x0000000073248000-memory.dmp

Filesize
44KB

Download
memory/2544-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-95-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/2544-93-0x000000007323D000-0x0000000073248000-memory.dmp

Filesize
44KB

Download
memory/2544-36-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

Filesize
1024KB

Download
memory/3044-90-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/3044-89-0x00000000002B0000-0x0000000000306000-memory.dmp

Filesize
344KB

Download
memory/3044-88-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/3044-87-0x0000000000E90000-0x0000000000EF2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing