Overview

overview

7

Static

static

view page ...id.rtf

windows7_x64

7

view page ...id.rtf

windows10_x64

7

Resubmissions

04-12-2020 23:26

201204-em2p576lje 4

04-12-2020 23:21

201204-djhepqlp7s 7

04-12-2020 23:16

201204-np79pl4zy2 7

Analysis

  • max time kernel
    131s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    view page source hybrid.rtf

  • Size

    46KB

  • MD5

    4dfa2438ea66e13ccd84afca3c410be4

  • SHA1

    9e131830c70fe743b0625637fa407cad525811f5

  • SHA256

    187441262398983e2bf4672e06325e247537e083f9dcf384762858307cc5c8df

  • SHA512

    218ce0bdbf2011864ea3d7b6b733ceadb8c4f93c180fca371c0fb79b8514843dff30c54b483d17e5b9c3743f347e5761ee3fae3d1c8a0d1e5b18cc76fcff277c

Score
7/10
spyware

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 128 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\view page source hybrid.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1900
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6eb6e00,0x7fef6eb6e10,0x7fef6eb6e20
        2⤵
          PID:1496
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1080,7863892394816915583,9091796676412521574,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1096 /prefetch:2
          2⤵
            PID:1596
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1080,7863892394816915583,9091796676412521574,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1204 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1376
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1080,7863892394816915583,9091796676412521574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
            2⤵
              PID:1636
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1080,7863892394816915583,9091796676412521574,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
              2⤵
                PID:756

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
              MD5

              bd361704829bd5e2193c97662621edca

              SHA1

              f96a29e393dba3ad90a5e027860ad69758117edf

              SHA256

              615c81d5d9caba50b1691b73dcacc06941fba5459d7086791013f3ad3a8a0bc0

              SHA512

              2901c5f49ad5ef63629029a0ff89fc603e0318a3ed78ab2d6db5d463ce62a5f438b241f1500dd129177035cf644fcb842e2967db9b05055319194533c617d01b

              Download Submit
            • \??\pipe\crashpad_524_DALEZPVFRGBSHODM
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • memory/1376-11-0x0000000000000000-mapping.dmp
              Download
            • memory/1496-4-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-6-0x0000000000060000-0x0000000000061000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1596-7-0x000000013F233F60-0x000000013F234020-memory.dmp
              Filesize

              192B

              Download
            • memory/1596-10-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-12-0x0000000077AE0000-0x0000000077AE1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1636-18-0x0000000000000000-mapping.dmp
              Download
            • memory/1696-3-0x00000000046D0000-0x00000000046D4000-memory.dmp
              Filesize

              16KB

              Download
            • memory/1900-2-0x0000000000000000-mapping.dmp
              Download