acl firewall.rtf

backendhorse2
featuresanalog, overview
max_time_kernel150281
max_time_network136023
platformwindows10_x64
reported21-11-2020 22:34
resourcewin10v20201028
score7
submitted21-11-2020 22:31
tagsspyware
ttpT1005, T1081, T1012, T1082

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

acl firewall.rtf

Filesize

1KB

Completed

21-11-2020 22:34

Score

7 ^/10

MD5

a96fcc8367b78ab708a23e2426c2978d

SHA1

5ad78c8ac5767a1d9687136dab8c966af5191bf6

SHA256

0b96038a6be8251415277d6649e9c2393825379c16ef81c44c12bf0a14f48640

spyware

Collection

Credential Access

Discovery

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local SystemCredentials in Files

Checks processor information in registry

WINWORD.EXEfirefox.exe

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry

WINWORD.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

732 WINWORD.EXE
732 WINWORD.EXE

Suspicious use of SetWindowsHookEx

WINWORD.EXEfirefox.exe

Reported IOCs

pid	process
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
732	WINWORD.EXE
2072	firefox.exe

Suspicious use of WriteProcessMemory

firefox.exefirefox.exe

Reported IOCs

description	pid	process	target process
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 1184 wrote to memory of 2072	1184	firefox.exe	firefox.exe
PID 2072 wrote to memory of 2328	2072	firefox.exe	firefox.exe
PID 2072 wrote to memory of 2328	2072	firefox.exe	firefox.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acl firewall.rtf" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:732

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

Suspicious use of WriteProcessMemory

PID:1184

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2072

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2072.0.1922378246\1295321885" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2072 "\\.\pipe\gecko-crash-server-pipe.2072" 1616 gpu

PID:2328

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/732-0-0x00007FF99AEA0000-0x00007FF99B4D7000-memory.dmp

Download
memory/732-1-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

Download
memory/732-2-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

Download
memory/732-3-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

Download
memory/2072-4-0x0000000000000000-mapping.dmp

Download
memory/2328-222-0x0000000000000000-mapping.dmp

Download

acl firewall.rtf

Filter: none

Description

Tags

TTPs

Description

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title