99577d4554ff7f8f9c98b9fd9c249f6aab4dccb47142466b070fd6d33d641e4e

General

Target

Estado.de.cuenta.xls
Size

66KB
MD5

0446015a22e4778816e2ccc64ac17a9b
SHA1

4943e12bea20024937b890a289da2602a111a547
SHA256

99577d4554ff7f8f9c98b9fd9c249f6aab4dccb47142466b070fd6d33d641e4e
SHA512

96ca9e969e7864d0befff5ac56a408988b162ca4ba80cc2ed1455f4b6ee855ff4e3a0397879b7833b8279fa98c71c8596abd8f83f2107daf4bd80db032bbb811
SSDEEP

1536:BYxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA5Xo4inBGp9tRG52yriv+L:BYxEtjPOtioVjDGUU1qfDlaGGx+cL2QU

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4768	WEJTZTNBL.exe
2436	WEJTZTNBL.exe
2836	WEJTZTNBL.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 2436	4768	WEJTZTNBL.exe	89
PID 4768 set thread context of 2836	4768	WEJTZTNBL.exe	90

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3596	2436	WerFault.exe	89
4924	2836	WerFault.exe	90
1972	2436	WerFault.exe	89
3496	2436	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WEJTZTNBL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4576	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	WEJTZTNBL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4576	EXCEL.EXE
4576	EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4768	4576	EXCEL.EXE	87
PID 4576 wrote to memory of 4768	4576	EXCEL.EXE	87
PID 4576 wrote to memory of 4768	4576	EXCEL.EXE	87
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2436	4768	WEJTZTNBL.exe	89
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90
PID 4768 wrote to memory of 2836	4768	WEJTZTNBL.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado.de.cuenta.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe
    3⤵
    - Executes dropped EXE
    PID:2436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 80
      4⤵
      Program crash
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 88
      4⤵
      Program crash
      PID:1972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 116
      4⤵
      Program crash
      PID:3496
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe
    3⤵
    - Executes dropped EXE
    PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 80
      4⤵
      Program crash
      PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2836 -ip 2836
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2436 -ip 2436
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2436 -ip 2436
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2436 -ip 2436
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
671B

MD5
e22d66c59c9fd2b40ad60007fe14c879

SHA1
fa54692df50341bea7975a0888bddb85332b505d

SHA256
a7485278c69333ef901d50bda497851894a259298d38c082d9b1eb49095f38a6

SHA512
fe8efe2d1bbf53b0228512d15ae8040fcc06510f1a966f408cb7c4e5d74791e8102d679a00b1780d01ad5a6c890bc130216ddc9e23d1baf2a67d5ee634153945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\WEJTZTNBL.exe

Filesize
275KB

MD5
21aea7934aee995629e68e5834695608

SHA1
94e690f33e0f7b8ea8a1c665359836b363cc09a5

SHA256
1f6feae633a783cf6ef08eee6b65049fe5b692c8a743af8967984e2e212a06b5

SHA512
b25883eecaa34a355047c4c6c0f684298f2803e757ffb3fdc6b097c62283e96b6801cafa3eaab9eb49df79c2abefebcc5d53816b877bd9ce108864785942b0ad

Download Submit
memory/4576-20-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-5-0x00007FFC05F50000-0x00007FFC05F60000-memory.dmp

Filesize
64KB

Download
memory/4576-9-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-19-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-2-0x00007FFC05F50000-0x00007FFC05F60000-memory.dmp

Filesize
64KB

Download
memory/4576-17-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-11-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-8-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-12-0x00007FFC03EF0000-0x00007FFC03F00000-memory.dmp

Filesize
64KB

Download
memory/4576-13-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-7-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-14-0x00007FFC03EF0000-0x00007FFC03F00000-memory.dmp

Filesize
64KB

Download
memory/4576-6-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-15-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-16-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-18-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-108-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-4-0x00007FFC05F50000-0x00007FFC05F60000-memory.dmp

Filesize
64KB

Download
memory/4576-10-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-34-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-57-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-3-0x00007FFC05F50000-0x00007FFC05F60000-memory.dmp

Filesize
64KB

Download
memory/4576-1-0x00007FFC45F6D000-0x00007FFC45F6E000-memory.dmp

Filesize
4KB

Download
memory/4576-0-0x00007FFC05F50000-0x00007FFC05F60000-memory.dmp

Filesize
64KB

Download
memory/4576-107-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-103-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-100-0x00007FFC45F6D000-0x00007FFC45F6E000-memory.dmp

Filesize
4KB

Download
memory/4576-99-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-102-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-101-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/4768-93-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/4768-92-0x0000000008140000-0x00000000086E4000-memory.dmp

Filesize
5.6MB

Download
memory/4768-91-0x0000000007AF0000-0x0000000007B8C000-memory.dmp

Filesize
624KB

Download
memory/4768-90-0x0000000005520000-0x0000000005578000-memory.dmp

Filesize
352KB

Download
memory/4768-89-0x0000000000C50000-0x0000000000C9A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads