Resubmissions
19/02/2024, 03:55
240219-egr6wshd5z 819/02/2024, 03:52
240219-ee2ybahd4t 619/02/2024, 03:48
240219-ec5leshd2s 4Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
-
submitted
19/02/2024, 03:52
General
-
Target
M1.rtf
-
Size
479B
-
MD5
46b0d9404ff94d8f45cd7ec8ee925db7
-
SHA1
5f6c5ef584cf794a62741208f8a785b73f651ca9
-
SHA256
61d76bce21ca5107eac1b40aa13dee84268887692f97d0f8335f51848b735503
-
SHA512
dd174447f41b3131e5a89932787234ca078510fa4b753450de80d556b74dff387e567a19e1a320ddad0e65a903f028aa6e6daa45021dfba48468711ab10bd492
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\M1.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.0.1563246995\1320236432" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1608 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86f97bc4-7196-42ba-90af-eaa81ce986ec} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 1716 1759ba08458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.1.2112615439\1091271637" -parentBuildID 20221007134813 -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98134a6e-e531-4199-a8d1-eb962a1e85eb} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2100 1759a903258 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.2.430919861\1038931955" -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2924 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {418829c5-50c4-4008-8ea0-8ccc30938f22} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2936 1759a95f558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.3.508950533\521985144" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {570a4c1b-0cb9-4bcd-91bf-730f8ca47b00} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 3476 1758f961c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.4.1757663260\158045158" -childID 3 -isForBrowser -prefsHandle 4160 -prefMapHandle 3592 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e635fa1-f7db-4424-aea3-7e971e9ef8cb} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 4168 1759f044258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.6.607654043\1726545687" -childID 5 -isForBrowser -prefsHandle 4868 -prefMapHandle 4872 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4b6784f-153d-49e3-9cb1-1ce15ef0d65d} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 4860 1759f292558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.5.1530555072\1488401800" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5f3e45-44e8-430e-bb4c-3bb51d73c946} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 4784 1758f963b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.7.1378449090\991427058" -childID 6 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {982b6c3e-b9a0-4bd9-9314-707e57f9288a} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5068 175a0cc5758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.8.1843863154\71413307" -childID 7 -isForBrowser -prefsHandle 5616 -prefMapHandle 5596 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57b193a-3cc6-4d99-9db7-7bc016f38b90} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 5628 175a2b76858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2036.9.964386001\1852577256" -childID 8 -isForBrowser -prefsHandle 2672 -prefMapHandle 5480 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b0b6fa6-7b71-4749-a740-e61283ac76ce} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" 2816 1759d127558 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD57757a24523f56c678925d3873ce05e9d
SHA1b1f6e1d40de6f187ca14cb4cfa94e1c52f3c8f74
SHA256e8563e2ae7823987a44dc3d1f5da44383457a7412e3f60e3b8d07086bdc3d4e8
SHA5125e11d0885b1685fb8c9e2aed7fd4566bf393df10a47b75cbdb6172adde9ef383c117df9d845f92e192bfce8566d2afd8be1d12e67cd90c179eab4902e24ea389
-
Filesize
57KB
MD5521ce43bf1baf89585d3e75679d5a26b
SHA13a0d39dd08cf9dd7ca3287a40d45855df83f36b9
SHA2569e53797a972385a4c3a032b2b33e8b1e297a029c9c69e3de7a164c89e2971610
SHA5122633bdfbb8896cdf29ad6634a3ddece1fcf0c7851bf2d38d989586580cdc44a48a21667638d19415e2f3c4aff1e20e9afb49ef5c726e87ff7348983c3c106e1f
-
Filesize
9KB
MD5407ea824c47a667a4fe3dabb9cee2f6f
SHA1063c2cb9be8a58d8953c62cb26886fac709d2722
SHA256bb8b8620f94e1b4f30d62fe49a4a4c49f2d3e514a787f64a84d08edad68c3be5
SHA51282213a1b046b18e761617c69235861d84e0ea58ce9bc60063eb95b1bb80bb8152acf6d1835954018b1c4c1a31b63fa419c325c3aeebe623f0c924243b20e662c
-
Filesize
932B
MD55cf74526a72eca280749b7a07bc8102c
SHA14ff04f0b8b7ef3ff881269d7751d1ad5aacdf37e
SHA256c8db6da492ba4d1e8da1420fb9f0cb6e34cb4dc9d03d61c048edbd055da3cd9c
SHA512bebd820955f7dbc5e6292fa3d45a96479c05f88213b9802da95227bbc23778db3c5bef29819df05a6aa3693207e44ae959e3741d3a85e57f405e7513e49e9c4c
-
Filesize
734B
MD57f9a76ceaa6688e90c53db1eadac3412
SHA11b76727ea305064ce50dc3f96b075467ae7fc159
SHA256c5c6f40ecc4d4ea7bf830f27177b7e4d836df7b9af54d9daebde480c7a6da8e6
SHA512dc071b49a58b094387ff6cb1c704824353836bbd192908519568273ac6658d52dcbda5b9b305fa2d42355c6f1f0d4cac7e5b664cb9ae5e9a75ebbd92d1e870f4
-
Filesize
856B
MD51a08139d13f8be9f3c5d7cf1186c8e06
SHA1f3cb8572eddc6c4528fe3da85f93521cb45140f6
SHA2568de4f457d6efe2bb027773fe9e1d54422171ac3630d17b430b19015cc06e7dff
SHA5128d28690da694eed78d5b9695244b2da1db4acc0dd266a330b0773db3902219f187eab6dcbb6c8258f96be6c088a667cf9d2a05803fdcae6fabbbe6ad3339c0fb
-
Filesize
6KB
MD55769e75a4635c8ff0c9cab7b14531314
SHA16facb13465651d32c4e9fb32d389c373fce94dff
SHA256cd6072d24bf4a0e94ac22648e4bb26e241844a7f1e3b380a8e2121cdb8c452d8
SHA512a54b8f5aba8a2ee896a6c0c66b44d319bc3f22576a3e54428a297f3ff1834b31af02af96e462592df9ca6a8b65eb98735e346df6dd7db406aacdd2e53a686218
-
Filesize
6KB
MD5f1254fd04cd62f64ea1f5a85895c16e7
SHA14bbfdc02d6d634fa224167f94c158d48de4583c6
SHA25612f05a06b2e5f5a5126371e2c3457489a7943b616a1c56c05dc64f4a56b1b78f
SHA5123d99f1332201dc144a990055d4d7e024ded36452a5fab83aa9379fd8aedbcfbc250305b35785bdbef7f211e99b09cdb5db73eac2cbe1aa0cdb53128df8cbc5c2
-
Filesize
6KB
MD5a51d5be5d3bc46d23574ff2e3514216d
SHA151424f65914c52aaecaf62c54c4d453542bf871e
SHA25654b18052afb0366901871004d86e3c6f55536ebb73bd5657e5f0e37c7386dac5
SHA512e8ac92c17a5a20d82444619607d72c7127a96b48aebb74602aa97525f10be4edeb0e1413bc9c517797851edf0f28d905a9b34f91a25ab940e9f554c424865d86
-
Filesize
6KB
MD5ddbe6fd20effb242db3a77487f8b737c
SHA1a1c09a26b5d81594a5346597380424247620c854
SHA256e678f872291554197b676ce6c49734ff84f1565bc6d1f853d1d31fe299307e7b
SHA5127f5a79b4ecf157375d873d1edc6fe8f72210bb0a5335f21089e93d6f6d6144618121ebe3da117bba18161903bfc817cd89bd823b2ecd8aff80c996c0ef5034b2
-
Filesize
3KB
MD5c8da9c078c9fc6576e8cbf0473894695
SHA1d032cb0cde9b7ae8040b1b7c0e2e83009802cca2
SHA256effcf198991db15efbc4f5608f46ba680a203ea723d6b264d38a34635b6554b3
SHA51216a44c86218aab17e37f1d27954440552644e9a4fcfd568a97645d6870a5e447f251dc4f0ace59e546e494c0e08ff2341306aaf6521d6ff49e21f07dc77a5749
-
Filesize
4KB
MD56d36c940711cef6ca16e75783c0104d4
SHA1ee04f0462f0dfe08550f0b0002d55ebab7258f34
SHA2560279548f2834a4917fe046813ae4a988173b9a280efe690328544b8c07a19b2f
SHA5129caa5c9a61961fd0c4ccc118cedec8ac40bc250c0520b9834f433c827c376b72b54d65a8f1ecafd335221973da56ceaba1d733619ba273b6d712625cb4242517
-
Filesize
4KB
MD57d36f1cea10fe8014c4563da2e6e3273
SHA1d6dc6f9d79f17dcc6315d9c817a7f3c5733b92e0
SHA256d115681737327fa2e783d7db32f5e7eb6d01ea5ff9530db83ede4ec0c45e257a
SHA5124d54a10e9b23ceb037ff84c7a56373e9c23c22dab5bcb357b9e1df05c7258b8e8b58e8d4f257653c100de50130c0d53939ca0d90aee9a93615ec3ecc7087a2f1
-
Filesize
4KB
MD5f58b9567a6943b787db09152af081e04
SHA124a403b0bc1513fe12b9fecf2545ef8a82b1c9a8
SHA256fe98d90eb156d6da20d76b39476edd070cdfcf6a9dcedd7bc3c82dc27bda2717
SHA512f57f44919339860fb0f7840806d276d51ffcc205c3abeddcfa909dd80c10d3404d922b0c367d502d7594f12e0f30695cabd318fecad470db5f11327ede8d56ed
-
Filesize
4KB
MD57867b4df2e3f6d7198a1f2218797b3a4
SHA1ecb8a247f2f8f66d393a7f97f31fdc544ad04b7a
SHA256872a2d2d43aa0467fb5b8c37775c2d8c1d5f98308c7411001da68e8e72ead9b2
SHA51267606a52bc1135140994a53fd8f5dbc195a70a8e118829408153086adb08a22151565c27a267da787a4b39eb258b743c2bdb3c440fc968ab59a4813022813ac8
-
Filesize
6KB
MD59fc177d7a1084bc7059801e404e0deea
SHA1bf0e97e49803d5a6337a823226104989cffe72c7
SHA256520744a6e3959cbd5a71b150a95ba8a13a12834ed316a98012684b9bd1e8e3d8
SHA5121a9a7da70ad9106cfb901c32f7358274517e41fab282d64b8f5258aaa2a3aa16c8108fa1447be33e374bac3b972a81cfb9ea96e29e4705ee5de4d896e984d6a9
-
Filesize
6KB
MD5da16537f56c374235432610b5126e6aa
SHA13f869fb59ce7403b8a0724bbd3ad0297929264f4
SHA256a9a54c401f38b5f92bef537d7bbd17cc0a905e7739ada6af6d5a78d383bb037b
SHA5125e24d6ca1cf9f2666c161837bfc05ffeeae06c817ca15cf85a85a8671adb826e9398ffac607c5bfa231ae32bda0bf22e1dcfe53fd5ddddcdd86311c4358c4a88
-
Filesize
41KB
MD51df9a18b18332f153918030b7b516615
SHA16c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA5126382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB