acl firewall.rtf

General
Target

acl firewall.rtf

Filesize

1KB

Completed

21-11-2020 22:34

Score
4 /10
MD5

a96fcc8367b78ab708a23e2426c2978d

SHA1

5ad78c8ac5767a1d9687136dab8c966af5191bf6

SHA256

0b96038a6be8251415277d6649e9c2393825379c16ef81c44c12bf0a14f48640

Malware Config
Signatures 7

Filter: none

Defense Evasion
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings
    WINWORD.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07DE41E1-2C4A-11EB-8B2A-76BCB60B883E} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07FD33C1-2C4A-11EB-8B2A-76BCB60B883E} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1808WINWORD.EXE
  • Suspicious use of FindShellTrayWindow
    iexplore.exeiexplore.exe

    Reported IOCs

    pidprocess
    736iexplore.exe
    2004iexplore.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1808WINWORD.EXE
    1808WINWORD.EXE
    736iexplore.exe
    736iexplore.exe
    1216IEXPLORE.EXE
    1216IEXPLORE.EXE
    2004iexplore.exe
    2004iexplore.exe
    904IEXPLORE.EXE
    904IEXPLORE.EXE
    904IEXPLORE.EXE
    904IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXEiexplore.exeiexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1808 wrote to memory of 3681808WINWORD.EXEsplwow64.exe
    PID 1808 wrote to memory of 3681808WINWORD.EXEsplwow64.exe
    PID 1808 wrote to memory of 3681808WINWORD.EXEsplwow64.exe
    PID 1808 wrote to memory of 3681808WINWORD.EXEsplwow64.exe
    PID 736 wrote to memory of 1216736iexplore.exeIEXPLORE.EXE
    PID 736 wrote to memory of 1216736iexplore.exeIEXPLORE.EXE
    PID 736 wrote to memory of 1216736iexplore.exeIEXPLORE.EXE
    PID 736 wrote to memory of 1216736iexplore.exeIEXPLORE.EXE
    PID 2004 wrote to memory of 9042004iexplore.exeIEXPLORE.EXE
    PID 2004 wrote to memory of 9042004iexplore.exeIEXPLORE.EXE
    PID 2004 wrote to memory of 9042004iexplore.exeIEXPLORE.EXE
    PID 2004 wrote to memory of 9042004iexplore.exeIEXPLORE.EXE
Processes 6
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acl firewall.rtf"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:368
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:736
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:340993 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1216
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:904
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{07DE41E1-2C4A-11EB-8B2A-76BCB60B883E}.dat

                          MD5

                          c74f924f142233eb1fdbbf55619b1448

                          SHA1

                          96f4f86ce2164a27165b5106f82e1db5bb30900b

                          SHA256

                          85abd88208b49d6229c3d9673d8addcaae185a46b63c5f5f9797376c213e4105

                          SHA512

                          7095eac733123808ee906419ec85481ad988a65f4c84829116637728c8dc8f00b04aa4d4e4ca85aab7fc1cf74099f5413c39cba754c8db39d442b097df5756b2

                          Download Submit

                        • memory/368-0-0x0000000000000000-mapping.dmp

                          Download

                        • memory/904-9-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1076-7-0x000007FEF7020000-0x000007FEF729A000-memory.dmp

                          Download

                        • memory/1216-8-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1808-4-0x0000000000630000-0x0000000000631000-memory.dmp

                          Download

                        • memory/1808-6-0x0000000004620000-0x0000000004624000-memory.dmp

                          Download

                        • memory/1808-1-0x0000000000650000-0x0000000000651000-memory.dmp

                          Download

                        • memory/1808-3-0x0000000000650000-0x0000000000651000-memory.dmp

                          Download