Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-11-2020 22:31

General

  • Target

    acl firewall.rtf

  • Size

    1KB

  • MD5

    a96fcc8367b78ab708a23e2426c2978d

  • SHA1

    5ad78c8ac5767a1d9687136dab8c966af5191bf6

  • SHA256

    0b96038a6be8251415277d6649e9c2393825379c16ef81c44c12bf0a14f48640

  • SHA512

    89becca4ea3c050827a86a299034126efa27d98b0705619a5eabb7ea7b67e22baff78731b7ba2e7f70623e5e3f64dc58fce6c02b6f44b25c241d6c26858334f2

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acl firewall.rtf" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:732
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2072.0.1922378246\1295321885" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2072 "\\.\pipe\gecko-crash-server-pipe.2072" 1616 gpu
        3⤵
          PID:2328

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/732-0-0x00007FF99AEA0000-0x00007FF99B4D7000-memory.dmp
      Filesize

      6.2MB

    • memory/732-1-0x00007FF99C630000-0x00007FF99F153000-memory.dmp
      Filesize

      43.1MB

    • memory/732-2-0x00007FF99C630000-0x00007FF99F153000-memory.dmp
      Filesize

      43.1MB

    • memory/732-3-0x00007FF99C630000-0x00007FF99F153000-memory.dmp
      Filesize

      43.1MB

    • memory/2072-4-0x0000000000000000-mapping.dmp
    • memory/2328-222-0x0000000000000000-mapping.dmp