Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15/06/2024, 21:36
General
-
Target
virus.rtf
-
Size
719B
-
MD5
28b03b91c0f4b5d2c0683754801ba2dd
-
SHA1
f654760600959731a1d992ea05a371beb1591f3b
-
SHA256
9cb8c4fd9a6753364fa28d64640acb1f2e3cefe8c71d20e2bd1fbfdd669669f9
-
SHA512
293ed9e0bd8048d911ea18703065c1adc23e6897995d9d2022f7c2a13ef0309cc1ff17e4412274f2206bb0ba7406d34f060ed0a9030931266b91478b565735d9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virus.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.0.966304138\807337151" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6784f43-7dd1-47b8-9f85-66b939a28556} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1964 1eeef9dd158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.1.1096821263\1371992884" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {679c9c52-420a-43a7-92bf-16dffbbb76c7} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2364 1eeef330558 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.2.492077275\1148283202" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3132 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c543794-0696-4abc-a0d0-80f12d0756f2} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3264 1eef399f258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.3.1469388636\1942468675" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 1088 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {440ae175-c8a4-4200-b16f-af4e448c0ba3} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2500 1eedbc6ae58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.4.1619338034\740694698" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d61a82-11c7-4ceb-9061-a91b4de4e146} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3980 1eedbc61958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.5.1289841269\1257515639" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4880 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f03cf4ba-6290-4a88-8d43-f5056d71ebea} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2872 1eef5caa858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.6.1266430324\949846370" -childID 5 -isForBrowser -prefsHandle 4916 -prefMapHandle 4952 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eccde70e-a681-445e-844c-ac25e8c86047} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 4976 1eef5cf8258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.7.1079437803\1130476630" -childID 6 -isForBrowser -prefsHandle 5328 -prefMapHandle 5344 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b88f051d-1762-46b0-937b-b9ade1684249} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 4916 1eef0e98f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.8.114655688\792767311" -childID 7 -isForBrowser -prefsHandle 5620 -prefMapHandle 5712 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f72b5e2a-874c-4c94-bd2c-6baf5cd88973} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5680 1eef7603558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.9.1619089148\1572965714" -childID 8 -isForBrowser -prefsHandle 4332 -prefMapHandle 5580 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c71ad54-0825-40bb-90ef-33ea4012c7f5} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 5300 1eef327d258 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.bat" "1⤵
-
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD59c642c5b111ee85a6bccffc7af896a51
SHA1eca8571b994fd40e2018f48c214fab6472a98bab
SHA2564bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
SHA51223cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
-
Filesize
2KB
MD59d928c27c794554f6c33332923f982e0
SHA1477a97bd48312f11513e92eb9d00396e0c714a5f
SHA256031729dc3ef0576e31d680ecd8eb43cfa7339a760a3c0a2ccfcd5538cfe06e74
SHA51263c4b08d70f713318d3ae727001feab6161399528e9a1c5ca2db48ee349a47b53861c2177b04bbdba4ae2421d1cec9415eb6eca39821a630a81c981f53628c15
-
Filesize
746B
MD5832e0991d79b3d4d38d93a53e427be96
SHA1dafa84dd79666c297b20d84754c5abd961e3021d
SHA2567c66a71b763440ec9ed84b28d87032ba1fbd12eb2b02a3d99996a32d31c00a9a
SHA512d9865516428f867af3e8a9425a89071d93533423c012ef60aeacc1ddbf7a1ad702b04db565163a95ffd24d8c657ab609dca87db7ac08ee8a69fb1caa56ceb88b
-
Filesize
11KB
MD590cd559015b9d30f7697a6cd3918cf9e
SHA154a9d083256d0870fabcdc76a6e0c42b63014746
SHA256f1cc874107efd3c021b388b4a4486e9a15c7bd788e0d6a3af329c33f0ecdcd3d
SHA512c976fd9d168f0337b6e6ef2ae75561deaccd0c97bc52c97691b85c1dcb8637f0111327703ff9e9a33952efea7f3c38adb36834237993c7ddb66b1d6089eb704b
-
Filesize
6KB
MD5f3d3950c608f99cc820a97e2cb5ae5f4
SHA12043c9de8de019cf8e82aa6efcf4e9c9a4af265e
SHA256e424aed5e73b96e23e44cd822d5c2d3bb58b03bc15fe67ff96d8d133999e5b61
SHA512046347bd263272fde140f99c47a8ed7e6ec2606f60ee27e14bf2f3518b568986099d05bb6ae2e1c9a4d7bbe7fc36bfb43fd8bc58c9809ce4ed7b351fd7fa360f
-
Filesize
6KB
MD5a4f517f3624d9216fcd38fe80c6d9eee
SHA1e5d3cbd60882def7481e62e05a75b9e7e5506202
SHA25620ff3a41987dc41bd631a621ae35ddec04f7fd66845df7f1f418f899028f9f9e
SHA5123decab9329398cf741d8d86db80d73202daa9231edf6e00a8f3c3c37c47f4c88d826d7635218248df5d21e0d05d338dc984affc116aebf64f7071f5f94fb31a2
-
Filesize
6KB
MD5b8c60e975f790d1e9197aeb4f320dec4
SHA1f6033a9d1b5b44b9803dbada124e042f89b04897
SHA2563b35f8b259f4b4e3d95052eb457cf1a331d28ae9ec60245dc5702742f95eac33
SHA512b8c3787e14b9a57b36feeef123b1f892c20485a02bde70991129ad634df7065e50bb9dbbdf949850d6e046e484b96eb56a20542016e943afcfe24297dd2986d0
-
Filesize
6KB
MD57cf211079fb4fe68da9500a6ba90793a
SHA166ded70afb64f34cae451197d7cfbaf9b50964fa
SHA2568c40a51fec398039dcf46a42ca85cf9fd70f3098e084be010d2ff8c22f8eefb8
SHA512ffd86fb26a93440517118ca3a16522ec3d38ab75c240bcb1af6e457ce84a83efb9ba8d8df1b51d47591259601afce1e69ceab165c104e2b8ac75db79a6ad7250
-
Filesize
1KB
MD589f94b49d8ead3a259bf5d51c4b7ba18
SHA1e68c3903eb9f49e577b6c66877bc344db8dea3f7
SHA2562642b326c3427eb6d210949fcdfd5f447feeacba010b3fe75a429208dace817b
SHA512b9689a20e61eb28b078cacc9d844f05c7e683ba64236c71e9b6c4f797ca15ccaa73fd569730b246f81a42b8f3123934bbceb00fdf0b7f7695b8a91239acb2de0
-
Filesize
5KB
MD5a87aeebe663a9e8ebe7d76ad11949675
SHA16ff74a74ffb0b4de03e6e61e256d4726656fec7b
SHA256e13109af145ed0f2e13c10849b3f28eaa19949eb871d59808e4fd6619d81125e
SHA51230cad3a34c3ce48d1b6b516a7674d4c6e9347c519d6ea18729e10813709ceba0074b14e5a77ca7ca3f3b17637c700cc3fb98be41fc066be7ae31960a7884bd0c
-
Filesize
6KB
MD5fbe1ef1afedf54dffe638514be1fe7b1
SHA1f60935e36ba17eb2b84356ddc30459d3554994dc
SHA2561d70b75adf1471640253b08fca394dea014f433fe1f83d7364ef945c1c7dd099
SHA512066427e1b78889e5dc796325eed1ef28f08dbb35377696862efb604af99c0682ed046cb52cffde363858dfa4ede3d2f924b53d0858636b0f50dafacb2d1acfee
-
Filesize
4KB
MD520e335859ff991575cf1ddf538e5817c
SHA11e81b804d67d6c0e22c0cef7e1cb9f86ce0ef5ee
SHA25688339750431112ed60cdf9bdb7697434ba9b38e2d15ad604c4462705bc1bdfcf
SHA512012251b342722cf35ebec2c7d071db505a992d81fc4b3492cd87640b5c955dc084825fc5e72edc821f4c481867183f21d26cd904fe7f0373d1156332f87b031d
-
Filesize
8KB
MD55ce1a2162bf5e16485f5e263b3cc5cf5
SHA1e9ec3e06bef08fcf29be35c6a4b2217a8328133c
SHA2560557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43
SHA512ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
5KB
MD5d2ea024b943caa1361833885b832d20b
SHA11e17c27a3260862645bdaff5cf82c44172d4df9a
SHA25639df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76
SHA5127b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb
-
Filesize
12KB
MD58f40ab355ce87d20b87de8b224242bfc
SHA115fe66eced37a3a90821464702725e408644af77
SHA2562f1c3f37c6468ebb385731ae5867a7a142ebd58cbb6791f3208a19504cc7e822
SHA5123c1add73c2d1d83e08df101af0fcdeb524b7037f5b16c2cb5aef9fb5e6a1b5fc56398bf69b5379bb1181ddd6da0f930aa9b5c9cb05522d062e9f95b47ed301d2
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB