ac194ad1ef873f480d822e706f9112d392a61e2d5a23462638c4277747303f8b

General

Target

New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xls
Size

54KB
MD5

cd771cc01f05d97b4c739828a97f38bd
SHA1

68674eeb423ca6d1cd13dab084bcd7f7135be2af
SHA256

ac194ad1ef873f480d822e706f9112d392a61e2d5a23462638c4277747303f8b
SHA512

b419158ebcd4b4a1bca937b68eb5ce8d2bc65702a4a0bc025fed58c231eb4ab1f096581e30386fbe76e11257f9fa3f0039addf00b77a0cd82950987cb0a9f8b4
SSDEEP

768:yyBP01L1fyfjkv5s0+D5InszEABWXwMsTECYNsh1tJxiU0wE6:y681sf+5s0+D5IszWXrIEJO7tJf0wE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2320 EXCEL.EXE
2304 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 2304 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2320 EXCEL.EXE
2320 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	2304	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2304	WINWORD.EXE
2304	WINWORD.EXE
2304	WINWORD.EXE
2304	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2304 wrote to memory of 4360	2304	WINWORD.EXE	splwow64.exe
PID 2304 wrote to memory of 4360	2304	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
471B

MD5
61c110cfbf7a5bf78aeca632421a79e9

SHA1
6d32b17c7362ba3b4b7b8be12271f4f459adc331

SHA256
3ffc3108eab68f9db45eeb36fc7275341470c54c0123b9a98deda15a4c407add

SHA512
7f510412d3e04fc357b2470c110cdb9da989d8d8c87e4de4de5ac4a2c6a116c5c68aa298b9d11dc8d51f3d19f41ac0078474df874ae6207acce894a960e50dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize
412B

MD5
0c4a5ee0ae482417c23ca8e8d22d641d

SHA1
472127473a26f1cdf1f36081c6d761b77c097b05

SHA256
67fa3c4515f922507efbc64f4b84cfcccc516f5e5615649a9ffcd3a80ce9b7ad

SHA512
8b5201067be419fb483c896b246f6fa6685b8b13b66f25071ad02cc24d21e750e9b4196269fc4b6b0deb9baf1c58a8489a17902f4fa8c434ca158de9c3ae9180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A2616E86-40E6-439F-9AFC-8BC61FAB6279
Filesize
160KB

MD5
8333709f71f517737f560eb7024c50a5

SHA1
7508618652cc3f2ebbd36613bdb1d0f2f1ab5e52

SHA256
db32f2da9ebe03778e8e4707a7a3f85cee0f1f53b4bcdd3feca7f1af05050c1c

SHA512
2c0c8f0ae8f2cc980cfc34c328ad7061794732f1e036c33d93cbaa1f3fe7c95b6c756a1d3c6a052c07e334b507220aa0f305cd182a96204d8f05652ef5ae447f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
ec6a86cfee51e7e8cf152b04c8b661ba

SHA1
bd4f5ec0a23d335b5aa14982432ff226e66f1f13

SHA256
4503dd7e02961b0a0089a52948ca8b1b4b1c2f2f62937546d8f1df35ddf2d071

SHA512
5eb17d50f268080f7a4436a672e3cb416bc5aec07b55fb14372c5a4dea8c8e7c02daf5f528b5f5634d6059ce05fee90be592279c7a93131315ed8e0a664374f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
b17c7f0902e5d50e197fd22ebe3ddc49

SHA1
993a8a1ee69080e99453eee62bc1af8448c5fdaa

SHA256
c806e9572e589dd3389eb39c034efb1d2c72175621905e5d8b51c82b31170b0f

SHA512
7d58bbadbaac3d0776dd7f364c566e5878ecf1f533fd4e9a57d3f790cd8806554670df7ad24a91966adb71d7b234d8fd3cd2b8055808d2948f69974cbd5a4f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\moneyjumpinginthetreewithmonkeycallkissherloverwithouthavingkissingbetterthananotherlovreshe___isverybeautifulgirlmonkeykisser[1].doc
Filesize
79KB

MD5
390887d6627a4de66aac8349c57a495a

SHA1
aec3c18736f1ab675276c7b21076b0b48c3251a7

SHA256
4aefad6748025172503bac223b804d8de0dc741483409c7f19bc29b1859ba0bb

SHA512
b0a8fc3d7d833d972c9b63d79725ec72cbce81ddcbd2d0f4106ca7c626ae6749b989128533f022638e2b7cb71719e5d9ad0038fc93f63e9fb2bab584df903c5a

Download Submit
memory/2304-59-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-34-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-114-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-117-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-118-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-116-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-60-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-58-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-37-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-36-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-29-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-27-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-31-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2304-32-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-50-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-0-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-14-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-7-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-6-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-4-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-45-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-8-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-3-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-53-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-2-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-1-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-13-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-16-0x00007FFBCC420000-0x00007FFBCC430000-memory.dmp

Filesize
64KB

Download
memory/2320-11-0x00007FFBCC420000-0x00007FFBCC430000-memory.dmp

Filesize
64KB

Download
memory/2320-101-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-100-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-102-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-103-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-104-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-106-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-107-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-105-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-12-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-10-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download
memory/2320-5-0x00007FFBCE610000-0x00007FFBCE620000-memory.dmp

Filesize
64KB

Download
memory/2320-9-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads