d6f1c474baed74a1f176da3b0a79617ac4c28f358e51b2052cc2074c490401dd

General

Target

NA_NA_3efdb072053c82exeexe_JC.exe
Size

467KB
MD5

3efdb072053c82b6fca700fd79cddc62
SHA1

34c8cb7778c52ba663927e62560c51b66c67711b
SHA256

d6f1c474baed74a1f176da3b0a79617ac4c28f358e51b2052cc2074c490401dd
SHA512

1b78973d00f2e7d396a0959c0b70637756b97bf135dd7461a9522b35569a143672e5551d9327a51a2942cf802ba14bb3aea10d86b4dca1ec07367b72f31be4b8
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStwsosyHdteMyhiN7+zlMR6d8zZDoKdAvME5p:Bb4bZudi79LQ6vBhAdkm1dZTAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2212	9D68.tmp

Loads dropped DLL 1 IoCs

pid	Process
2380	NA_NA_3efdb072053c82exeexe_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2236	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	9D68.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	WINWORD.EXE
2236	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2212	2380	NA_NA_3efdb072053c82exeexe_JC.exe	28
PID 2380 wrote to memory of 2212	2380	NA_NA_3efdb072053c82exeexe_JC.exe	28
PID 2380 wrote to memory of 2212	2380	NA_NA_3efdb072053c82exeexe_JC.exe	28
PID 2380 wrote to memory of 2212	2380	NA_NA_3efdb072053c82exeexe_JC.exe	28
PID 2212 wrote to memory of 2236	2212	9D68.tmp	29
PID 2212 wrote to memory of 2236	2212	9D68.tmp	29
PID 2212 wrote to memory of 2236	2212	9D68.tmp	29
PID 2212 wrote to memory of 2236	2212	9D68.tmp	29
PID 2236 wrote to memory of 2952	2236	WINWORD.EXE	34
PID 2236 wrote to memory of 2952	2236	WINWORD.EXE	34
PID 2236 wrote to memory of 2952	2236	WINWORD.EXE	34
PID 2236 wrote to memory of 2952	2236	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\NA_NA_3efdb072053c82exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_3efdb072053c82exeexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\9D68.tmp
  "C:\Users\Admin\AppData\Local\Temp\9D68.tmp" --helpC:\Users\Admin\AppData\Local\Temp\NA_NA_3efdb072053c82exeexe_JC.exe D926950F0BAF0CB0C2004EDFE63E7B09F368C4F1B996A7D5238341CC0BE954F7E00E0D0F2F25C6A7D2AFC71AEC18DC03C73774E9B2954D7DB60E661BA74BDDEC
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NA_NA_3efdb072053c82exeexe_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9D68.tmp

Filesize
467KB

MD5
7a066bd492d8941be0690465fe2ea4d8

SHA1
4ea9a52bf2581ecab4a833920bd695f57dac5847

SHA256
56fca68a382ec9d090f551525a18e4a81543ed226ad1c597df4efb6fe6f08a10

SHA512
d4363491ae2afac5ec8cf952a1a77f08277057aaf6e311178dea332307623a9e7a12e9f6aa537a94f62d139fbd79119be333c38647f1b1e2f491746c60e50d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\NA_NA_3efdb072053c82exeexe_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
51f042d98e908da7a56fe629192af4f2

SHA1
25fd00b758b6e4da17627387e7d99d934d79f17c

SHA256
e21e92c216228d45305e918970dc5ef86c1573538a9f2b573b9af64dff7a67be

SHA512
742eaf5b98231dac98860060b1a9497622801281c8fe067ac5619205e9a597e024bdfe5a7af929078351e8dd90e9ecbcca6dff0518beeb151d2426d1105ee03f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\9D68.tmp

Filesize
467KB

MD5
7a066bd492d8941be0690465fe2ea4d8

SHA1
4ea9a52bf2581ecab4a833920bd695f57dac5847

SHA256
56fca68a382ec9d090f551525a18e4a81543ed226ad1c597df4efb6fe6f08a10

SHA512
d4363491ae2afac5ec8cf952a1a77f08277057aaf6e311178dea332307623a9e7a12e9f6aa537a94f62d139fbd79119be333c38647f1b1e2f491746c60e50d47

Download Submit
memory/2236-60-0x000000002F2C0000-0x000000002F41D000-memory.dmp

Filesize
1.4MB

Download
memory/2236-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-62-0x000000007151D000-0x0000000071528000-memory.dmp

Filesize
44KB

Download
memory/2236-80-0x000000002F2C0000-0x000000002F41D000-memory.dmp

Filesize
1.4MB

Download
memory/2236-81-0x000000007151D000-0x0000000071528000-memory.dmp

Filesize
44KB

Download
memory/2236-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-98-0x000000007151D000-0x0000000071528000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing