20402a7587544d4b4d76afbe3fecf82239eed5b9b3dc69885c748f785ba55708

General

Target

8421b07fef4b5f_JC.exe
Size

467KB
MD5

8421b07fef4b5fd01ee94ab88da0066b
SHA1

5de92151ebec2e0608e9e5d022f5da7c38e34b53
SHA256

20402a7587544d4b4d76afbe3fecf82239eed5b9b3dc69885c748f785ba55708
SHA512

385073a21b5d66fc1c0d8df0e1c8d35248e3d32d0c1ab659a46a861caf39eb0ad232f5f74c896229754178ac4a271773bb80f4bf01bf401ce2677584d8161fa9
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStwTgUq+uUCN5Tb/lEh7cJJqBhGrirbO4Dyb9:Bb4bZudi79Lf/65Tb/QLGrObb/zsn1Ak

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	73D9.tmp

Loads dropped DLL 1 IoCs

pid	Process
1412	8421b07fef4b5f_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1276	73D9.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	WINWORD.EXE
2828	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1276	1412	8421b07fef4b5f_JC.exe	28
PID 1412 wrote to memory of 1276	1412	8421b07fef4b5f_JC.exe	28
PID 1412 wrote to memory of 1276	1412	8421b07fef4b5f_JC.exe	28
PID 1412 wrote to memory of 1276	1412	8421b07fef4b5f_JC.exe	28
PID 1276 wrote to memory of 2828	1276	73D9.tmp	29
PID 1276 wrote to memory of 2828	1276	73D9.tmp	29
PID 1276 wrote to memory of 2828	1276	73D9.tmp	29
PID 1276 wrote to memory of 2828	1276	73D9.tmp	29
PID 2828 wrote to memory of 592	2828	WINWORD.EXE	34
PID 2828 wrote to memory of 592	2828	WINWORD.EXE	34
PID 2828 wrote to memory of 592	2828	WINWORD.EXE	34
PID 2828 wrote to memory of 592	2828	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\8421b07fef4b5f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8421b07fef4b5f_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\73D9.tmp
  "C:\Users\Admin\AppData\Local\Temp\73D9.tmp" --helpC:\Users\Admin\AppData\Local\Temp\8421b07fef4b5f_JC.exe 2D0A69470682626D5170B656BF67A18C9E24BF092653D94E79D087AC319B8F43CB24224091679D43044F3D65E0C0EDB03C5D98DE27DD9076E8970B19BC26601B
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8421b07fef4b5f_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\73D9.tmp

Filesize
467KB

MD5
e2683e685bb27554357656d383269df8

SHA1
68179e3bd82a838b1c36071a796488e01877558b

SHA256
38c17b026da57c5aa9d9a8f3bd0cbb075041b397d584adf898df38168f975f34

SHA512
2dbff99f32bf21df3bab9ea27869f33816947157f8de5d644cf92dbdca8ea0e742d85c512f8e9231f036c069404444226327b22cdd63606f771e5c533ed1eb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8421b07fef4b5f_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
18a9f64c9860dd37b29d30ec310cebcd

SHA1
acf375954bb46f2f6e5a9d74df203e7da17a2716

SHA256
35d6706df4e8da17b3fba5a08b3451195a34f525ad72ee2b17b4aa2ae4aac2a4

SHA512
ad034fd1fc63d99507e20145b44950ecf4bac17621c1f7ea950f347d8aa6c3696ae57b1808310f1ed4e24f267cea4ca102bc081159f8f085d3ab5679319dadb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\73D9.tmp

Filesize
467KB

MD5
e2683e685bb27554357656d383269df8

SHA1
68179e3bd82a838b1c36071a796488e01877558b

SHA256
38c17b026da57c5aa9d9a8f3bd0cbb075041b397d584adf898df38168f975f34

SHA512
2dbff99f32bf21df3bab9ea27869f33816947157f8de5d644cf92dbdca8ea0e742d85c512f8e9231f036c069404444226327b22cdd63606f771e5c533ed1eb04

Download Submit
memory/2828-61-0x000000002F880000-0x000000002F9DD000-memory.dmp

Filesize
1.4MB

Download
memory/2828-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-63-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download
memory/2828-81-0x000000002F880000-0x000000002F9DD000-memory.dmp

Filesize
1.4MB

Download
memory/2828-82-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download
memory/2828-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-99-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing