Overview

overview

10

Static

static

1

RFQ # ...1.xlsx

windows7-x64

10

RFQ # ...1.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    130s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 12:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ # PC25-1301.xlsx

  • Size

    1.5MB

  • MD5

    e15cba1287fd9a0d755685df0c8d24e2

  • SHA1

    39be11722c3417a9e330dd265cae7d30c2b23c32

  • SHA256

    46bcde824114484f405e35827ddd2a1520ba1349644cd0bd7d9bead3f3d83730

  • SHA512

    e96d726f92d5de720cad1bae386999cabc588c72968cf824428ef853660fa839a6fdb1ff79ed78ae21a5a395f41556ce045a99c282508e30ab2517ee2770906e

  • SSDEEP

    49152:iwoULlGhp8mRgfzBMzlkc3PakctEXuS0EOrrb:JoULlGv+7Gp3BceXlL+f

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ # PC25-1301.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:220

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_151
    X-OfficeVersion: 16.0.18505.30575
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-y4UN2ZmetJT9WTvfu4DCpHL9GjECvOvflUFQOoOC0yKr96uvjXQkxZNTyFryBPlye2u/N6k3qvk0v4oFchC0GMf2K4iI5qh02PFMnyalbL4zukNH/ZQa/NpOnsRTlvUPMRLcUk3zFK/75QNNq+8Lt2+RF8tuVKYUlQsuBxTPMFM=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
    X-Frame-Options: Deny
    X-CorrelationId: b42ac93e-b0dc-419f-8b6f-948d7f28294f
    X-Powered-By: ASP.NET
    Date: Wed, 15 Jan 2025 12:20:39 GMT
    Content-Length: 654
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    177.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    177.190.18.2.in-addr.arpa
    IN PTR
    Response
    177.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-177deploystaticakamaitechnologiescom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.16.208.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.8kB
     8.3kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    97.32.109.52.in-addr.arpa
    dns
    355 B
     5

    DNS Request

    97.32.109.52.in-addr.arpa

    DNS Request

    97.32.109.52.in-addr.arpa

    DNS Request

    97.32.109.52.in-addr.arpa

    DNS Request

    97.32.109.52.in-addr.arpa

    DNS Request

    97.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    tls
    60 B
     338 B
     1
    1
  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    360 B
     5

    DNS Request

    22.160.190.20.in-addr.arpa

    DNS Request

    22.160.190.20.in-addr.arpa

    DNS Request

    22.160.190.20.in-addr.arpa

    DNS Request

    22.160.190.20.in-addr.arpa

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    365 B
     5

    DNS Request

    228.249.119.40.in-addr.arpa

    DNS Request

    228.249.119.40.in-addr.arpa

    DNS Request

    228.249.119.40.in-addr.arpa

    DNS Request

    228.249.119.40.in-addr.arpa

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
     244 B
     1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    177.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    177.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    95.16.208.104.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    95.16.208.104.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/220-0-0x00007FFDA2110000-0x00007FFDA2120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-3-0x00007FFDA2110000-0x00007FFDA2120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-2-0x00007FFDA2110000-0x00007FFDA2120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-1-0x00007FFDE212D000-0x00007FFDE212E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/220-5-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-6-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-4-0x00007FFDA2110000-0x00007FFDA2120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-7-0x00007FFDA2110000-0x00007FFDA2120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-8-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-9-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-10-0x00007FFD9F9E0000-0x00007FFD9F9F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-11-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-12-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-14-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-16-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-17-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-15-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-18-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-13-0x00007FFD9F9E0000-0x00007FFD9F9F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/220-19-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-21-0x00007FFDE2090000-0x00007FFDE2285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/220-20-0x00007FFDE212D000-0x00007FFDE212E000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.