8a9b1c5cb762229aef452bacf5b3337a84c72054fff0890ecaac0f5241e4bc12

General

Target

87773a4e6c0215_JC.exe
Size

467KB
MD5

87773a4e6c021505944799b3196fbff9
SHA1

4269df0a4e24d3cc076157f804042bb39574da26
SHA256

8a9b1c5cb762229aef452bacf5b3337a84c72054fff0890ecaac0f5241e4bc12
SHA512

07916f153617bf2d4161329888612fd5941059e60dfc55c687471bc2fb76e0b7388ab6922a328c8cd19d3443149317b8d2d02d6f6ec876dae83daa83536e942b
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStQ+2hMX5dBw0oiXnRqfpJ5Ewt5uo8SNScZnj:Bb4bZudi79Lb6dP6GQwo8SNSklBAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	8546.tmp

Loads dropped DLL 1 IoCs

pid	Process
2776	87773a4e6c0215_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	8546.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	WINWORD.EXE
2788	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3052	2776	87773a4e6c0215_JC.exe	28
PID 2776 wrote to memory of 3052	2776	87773a4e6c0215_JC.exe	28
PID 2776 wrote to memory of 3052	2776	87773a4e6c0215_JC.exe	28
PID 2776 wrote to memory of 3052	2776	87773a4e6c0215_JC.exe	28
PID 3052 wrote to memory of 2788	3052	8546.tmp	29
PID 3052 wrote to memory of 2788	3052	8546.tmp	29
PID 3052 wrote to memory of 2788	3052	8546.tmp	29
PID 3052 wrote to memory of 2788	3052	8546.tmp	29
PID 2788 wrote to memory of 2056	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2056	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2056	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2056	2788	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\87773a4e6c0215_JC.exe
"C:\Users\Admin\AppData\Local\Temp\87773a4e6c0215_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\8546.tmp
  "C:\Users\Admin\AppData\Local\Temp\8546.tmp" --helpC:\Users\Admin\AppData\Local\Temp\87773a4e6c0215_JC.exe 65D97EBD4C13F863ED6D57BC3F7A014B23F06595F2447121CB807BEC03A76D47862A0DC49F877A92D6C01152936697268E260D6D0049C99DAF76C3EB34B60602
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87773a4e6c0215_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8546.tmp

Filesize
467KB

MD5
07dc23652eec88a662e6a80d35e4ccca

SHA1
21e53b6c612dcba15cdea8ca0b05c525a489d63d

SHA256
d5041b72a8f8db47a6e1a320f83e79f6f244be23994cda7c11b616b3f229827f

SHA512
b59f29c978cb2adf40f45916549e1fc64c7b05b4aba7e33da9ef395329c274cb8caf487b9a0d9e770c2c6773a2247f181d31e44e6ff1587b0fe8374a415015f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\87773a4e6c0215_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a94b18f8e400c78927af26a9fa4f0160

SHA1
ba8772ada3bbcef27293a2a9eef574c0603374be

SHA256
3a082208e4d5ea51d9c849ecf1da57fbe400897babfd0ed0b0b41ec8ac54579e

SHA512
e46889354ef44545686dbe3e58bff9c669f57ab2ff5b42918f58c72664fdfcec3e74c1bd5009bb2d117a243bf559fa1c008598e9c5ab4ddab427f5dfdfd12698

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\8546.tmp

Filesize
467KB

MD5
07dc23652eec88a662e6a80d35e4ccca

SHA1
21e53b6c612dcba15cdea8ca0b05c525a489d63d

SHA256
d5041b72a8f8db47a6e1a320f83e79f6f244be23994cda7c11b616b3f229827f

SHA512
b59f29c978cb2adf40f45916549e1fc64c7b05b4aba7e33da9ef395329c274cb8caf487b9a0d9e770c2c6773a2247f181d31e44e6ff1587b0fe8374a415015f1

Download Submit
memory/2788-61-0x000000002F150000-0x000000002F2AD000-memory.dmp

Filesize
1.4MB

Download
memory/2788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-63-0x00000000710ED000-0x00000000710F8000-memory.dmp

Filesize
44KB

Download
memory/2788-81-0x000000002F150000-0x000000002F2AD000-memory.dmp

Filesize
1.4MB

Download
memory/2788-82-0x00000000710ED000-0x00000000710F8000-memory.dmp

Filesize
44KB

Download
memory/2788-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-99-0x00000000710ED000-0x00000000710F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing