acl firewall.rtf

General
Target

acl firewall.rtf

Filesize

1KB

Completed

21-11-2020 22:34

Score
7 /10
MD5

a96fcc8367b78ab708a23e2426c2978d

SHA1

5ad78c8ac5767a1d9687136dab8c966af5191bf6

SHA256

0b96038a6be8251415277d6649e9c2393825379c16ef81c44c12bf0a14f48640

Malware Config
Signatures 6

Filter: none

Collection
Credential Access
Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks processor information in registry
    WINWORD.EXEfirefox.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0firefox.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signaturefirefox.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revisionfirefox.exe
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    732WINWORD.EXE
    732WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXEfirefox.exe

    Reported IOCs

    pidprocess
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    732WINWORD.EXE
    2072firefox.exe
  • Suspicious use of WriteProcessMemory
    firefox.exefirefox.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 1184 wrote to memory of 20721184firefox.exefirefox.exe
    PID 2072 wrote to memory of 23282072firefox.exefirefox.exe
    PID 2072 wrote to memory of 23282072firefox.exefirefox.exe
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acl firewall.rtf" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:732
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2072.0.1922378246\1295321885" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2072 "\\.\pipe\gecko-crash-server-pipe.2072" 1616 gpu
        PID:2328
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/732-0-0x00007FF99AEA0000-0x00007FF99B4D7000-memory.dmp

                    • memory/732-1-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

                    • memory/732-2-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

                    • memory/732-3-0x00007FF99C630000-0x00007FF99F153000-memory.dmp

                    • memory/2072-4-0x0000000000000000-mapping.dmp

                    • memory/2328-222-0x0000000000000000-mapping.dmp