e16a6a7caf09930bf4fb6b6af7718d1aec0a33110c23a90b609f8b30db59d656

General

Target

3a4a2a8318c7ddexeexe_JC.exe
Size

467KB
MD5

3a4a2a8318c7ddaea1f63f3d6acf1b18
SHA1

693961ffc96ef6f355bdc89987a967e21d5121c0
SHA256

e16a6a7caf09930bf4fb6b6af7718d1aec0a33110c23a90b609f8b30db59d656
SHA512

0d6a7c00910ad3ac49dbda93d4825d9f9dacd5947b6c989891078ef40f027ad12dcd2518395de6ae4184ab1fcde68917d8c9784c98e2aacc177253493feaaaf8
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStiO8M8ZtlpgjtlJ4N4Bs6X/5agfR4IEFn8L9:Bb4bZudi79La8M8Zt3et4WBDaC4vnUAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	D346.tmp

Loads dropped DLL 1 IoCs

pid	Process
2268	3a4a2a8318c7ddexeexe_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	D346.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	WINWORD.EXE
2200	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2248	2268	3a4a2a8318c7ddexeexe_JC.exe	28
PID 2268 wrote to memory of 2248	2268	3a4a2a8318c7ddexeexe_JC.exe	28
PID 2268 wrote to memory of 2248	2268	3a4a2a8318c7ddexeexe_JC.exe	28
PID 2268 wrote to memory of 2248	2268	3a4a2a8318c7ddexeexe_JC.exe	28
PID 2248 wrote to memory of 2200	2248	D346.tmp	29
PID 2248 wrote to memory of 2200	2248	D346.tmp	29
PID 2248 wrote to memory of 2200	2248	D346.tmp	29
PID 2248 wrote to memory of 2200	2248	D346.tmp	29
PID 2200 wrote to memory of 2120	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2120	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2120	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2120	2200	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\3a4a2a8318c7ddexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3a4a2a8318c7ddexeexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\D346.tmp
  "C:\Users\Admin\AppData\Local\Temp\D346.tmp" --helpC:\Users\Admin\AppData\Local\Temp\3a4a2a8318c7ddexeexe_JC.exe F46C2B05E4729A7F2740F8C72C29D934DCF60625596AB872B8E3AAE05C5DCD56D3F4F4679D60FC8B5E213400E02771D5068C80C077183B6012CEAD4637BC59D4
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3a4a2a8318c7ddexeexe_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a4a2a8318c7ddexeexe_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D346.tmp

Filesize
467KB

MD5
a9d3ed1dfcb7bbccdd1f5a41aa22b240

SHA1
0737261ee1b92c48b7c0a43b83637a77b93ee9a8

SHA256
4704663c17a4d7442c2aef63802fb2d9e164d20398c9c315559a09b09a263c90

SHA512
efe46d7407cb63ce6b1a1be6728685eba0d5040a9ef7ecf6100e7c477a5df18e7a46d17b8fefe0e0f9d42f09cbc04edd1a3ea4bf5bcb233a45d5c9f885c8f32b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c222104b5e4cf15b5f00d1a8a9f93a59

SHA1
4fa367f1e2c861692976ca84a8156b58d4817f97

SHA256
b794017a6a90e5b44b0339c14b34618045c91875c5456ae88ca2d83054cb0a72

SHA512
d25f9bf2b77444bfefdfbc35be52c60a908a1fc35b27880b4e07a53ae9ccc5b23772cb85b7027ddd305c3dedbf5b1d92a735bb8d44318b51254a1e40241f6534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\D346.tmp

Filesize
467KB

MD5
a9d3ed1dfcb7bbccdd1f5a41aa22b240

SHA1
0737261ee1b92c48b7c0a43b83637a77b93ee9a8

SHA256
4704663c17a4d7442c2aef63802fb2d9e164d20398c9c315559a09b09a263c90

SHA512
efe46d7407cb63ce6b1a1be6728685eba0d5040a9ef7ecf6100e7c477a5df18e7a46d17b8fefe0e0f9d42f09cbc04edd1a3ea4bf5bcb233a45d5c9f885c8f32b

Download Submit
memory/2200-61-0x000000002FBB0000-0x000000002FD0D000-memory.dmp

Filesize
1.4MB

Download
memory/2200-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-63-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download
memory/2200-81-0x000000002FBB0000-0x000000002FD0D000-memory.dmp

Filesize
1.4MB

Download
memory/2200-82-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download
memory/2200-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-99-0x0000000071A2D000-0x0000000071A38000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing