Overview

overview

10

Static

static

1

Factura.xlsx

windows7-x64

10

Factura.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    101s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 07:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura.xlsx

  • Size

    3.9MB

  • MD5

    5ffc2a72ff05e1f486e4aa0142b89a23

  • SHA1

    1d7428dd31e095b0aa43a61c962e7d42587c3f0c

  • SHA256

    0f626eca4a80a70619bded3da7db0cbac8de8effb65482cdf05962ff789155be

  • SHA512

    3b9753133f33901cc5fe4cc9e13ddb860b6a4cbae572ba4aad0149589c4b162caa9352dc57831d9c532367e5f978e22de34612566990fd0e83aaba4797cec7d4

  • SSDEEP

    98304:fxCNiZcsxN2HwHTiOsR1PWdVUnugvD50Dm:ZC8ZcsiOPdEugvDV

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Factura.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3960

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_31
    X-OfficeVersion: 16.0.18108.30576
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    X-CorrelationId: 54a9777d-8a17-4864-a998-eb090e3189f1
    X-Powered-By: ASP.NET
    Date: Thu, 19 Sep 2024 07:02:17 GMT
    Content-Length: 654
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    84.65.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.65.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.190.18.2.in-addr.arpa
    IN PTR
    Response
    71.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-71deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.7kB
     7.7kB
     11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 52.111.236.23:443
    322 B
     7
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    84.65.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    84.65.42.20.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    71.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    71.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3960-1-0x00007FF91D32D000-0x00007FF91D32E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3960-0-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-3-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-2-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-4-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-5-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-9-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-13-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-12-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-11-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-14-0x00007FF8DA9B0000-0x00007FF8DA9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-16-0x00007FF8DA9B0000-0x00007FF8DA9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-15-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-17-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-19-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-18-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-20-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-10-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-8-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-7-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-6-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-30-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-31-0x00007FF91D32D000-0x00007FF91D32E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3960-32-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-33-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3960-56-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-59-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-58-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-57-0x00007FF8DD310000-0x00007FF8DD320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3960-60-0x00007FF91D290000-0x00007FF91D485000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.