3bd473a0d0ceaafda5293fcea396b160d32ef60d7a083b152b78fcb2a124abdd

General

Target

Saudi Aramco Purchase Order Ref090418.rtf
Size

506KB
MD5

ef03d6c77f9299473e82c6cccfefb0c3
SHA1

1038ba22fead7e33c82cc159feb340692a975096
SHA256

325a2e914289e94063ddb91a2cd54320c185917e8e78f760aaf54ad66d2f6523
SHA512

312785af42f51daaf3127dab36be0b3a4bbb1f1e4d136785fce39d8a01db7f606abd3e3933df234c28dabf4d215649eacc68355b0383853fde503bac461453cf
SSDEEP

12288:g+WhWEyIu3ErzRYi/ZxtbS3IWWq6Pk3HnnYhPsvKYRtUMe:gIRI3rzRv/JbS7Wq6WYAXRtUz

Score

4^/10

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\decoy.doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\task.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\2nd.bat:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5636	WINWORD.EXE
5636	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE
5636	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf" /o ""
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=944 /prefetch:8
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
fd7a8b6861b37f475d7461e9f47b9b4b

SHA1
e45cec5351693ec177605cc35b96ae045c38835f

SHA256
e91699fabb14916334927d9f4793026c067ffcb5cb335f7699bda40747c6503c

SHA512
8215256157c16781af92dd3485a29b30462895c65ec63c18d0ea9bf6debbfb9710f68539b6ba18a3ba7d17ba03184f5db18c1ea650130da77d7cd732e7c897a5

Download Submit
memory/5636-12-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp

Filesize
64KB

Download
memory/5636-81-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-1-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp

Filesize
4KB

Download
memory/5636-8-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-11-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-10-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-9-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-4-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-6-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-3-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-7-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-5-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-2-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-37-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-38-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp

Filesize
4KB

Download
memory/5636-39-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-40-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

Filesize
2.0MB

Download
memory/5636-0-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-78-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-79-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-77-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-80-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

Filesize
64KB

Download
memory/5636-13-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads