Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 22:31
Static task
static1
Behavioral task
behavioral1
Sample
acl firewall.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
acl firewall.rtf
Resource
win10v20201028
General
-
Target
acl firewall.rtf
-
Size
1KB
-
MD5
a96fcc8367b78ab708a23e2426c2978d
-
SHA1
5ad78c8ac5767a1d9687136dab8c966af5191bf6
-
SHA256
0b96038a6be8251415277d6649e9c2393825379c16ef81c44c12bf0a14f48640
-
SHA512
89becca4ea3c050827a86a299034126efa27d98b0705619a5eabb7ea7b67e22baff78731b7ba2e7f70623e5e3f64dc58fce6c02b6f44b25c241d6c26858334f2
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 732 WINWORD.EXE 732 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEfirefox.exepid process 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 2072 firefox.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 1184 wrote to memory of 2072 1184 firefox.exe firefox.exe PID 2072 wrote to memory of 2328 2072 firefox.exe firefox.exe PID 2072 wrote to memory of 2328 2072 firefox.exe firefox.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acl firewall.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2072.0.1922378246\1295321885" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2072 "\\.\pipe\gecko-crash-server-pipe.2072" 1616 gpu3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/732-0-0x00007FF99AEA0000-0x00007FF99B4D7000-memory.dmpFilesize
6.2MB
-
memory/732-1-0x00007FF99C630000-0x00007FF99F153000-memory.dmpFilesize
43.1MB
-
memory/732-2-0x00007FF99C630000-0x00007FF99F153000-memory.dmpFilesize
43.1MB
-
memory/732-3-0x00007FF99C630000-0x00007FF99F153000-memory.dmpFilesize
43.1MB
-
memory/2072-4-0x0000000000000000-mapping.dmp
-
memory/2328-222-0x0000000000000000-mapping.dmp