d9206bde59f416fa1fc3364e8c599da9900beeff0e22215082f773bae032f2f5

General

Target

5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe
Size

467KB
MD5

5388dd8511b61a81285f3faeba3fe5c7
SHA1

158582d6029961266e57e3462943c1847f6b907a
SHA256

d9206bde59f416fa1fc3364e8c599da9900beeff0e22215082f773bae032f2f5
SHA512

c4f263089832f929d638034a0d5349e43a61fe866ffb96b886f05f1973744cd8ce1ac651056d93a135170debdb09c3acb18fadca5867185199feb75ea218cb8b
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStYGLLWEmUkxMKToWjEWEgoD1rUByGj4m4Qkv:Bb4bZudi79L+PHmoW21w4As7DKoAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2640	BF0B.tmp

Loads dropped DLL 1 IoCs

pid	Process
688	5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2200	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2640	BF0B.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	WINWORD.EXE
2200	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2640	688	5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe	28
PID 688 wrote to memory of 2640	688	5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe	28
PID 688 wrote to memory of 2640	688	5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe	28
PID 688 wrote to memory of 2640	688	5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe	28
PID 2640 wrote to memory of 2200	2640	BF0B.tmp	29
PID 2640 wrote to memory of 2200	2640	BF0B.tmp	29
PID 2640 wrote to memory of 2200	2640	BF0B.tmp	29
PID 2640 wrote to memory of 2200	2640	BF0B.tmp	29
PID 2200 wrote to memory of 2772	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2772	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2772	2200	WINWORD.EXE	34
PID 2200 wrote to memory of 2772	2200	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\BF0B.tmp
  "C:\Users\Admin\AppData\Local\Temp\BF0B.tmp" --helpC:\Users\Admin\AppData\Local\Temp\5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.exe E26769C9A81C586A904D1826CE835BD93D3F881ADF36FE4EBAC53A07CCE86A9EEDFC9CD3CE1DC09DA26EF3E7CDCE0CC503E99611389BD59E506A640124B614DE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5388dd8511b61a81285f3faeba3fe5c7_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF0B.tmp

Filesize
467KB

MD5
d668e5b0f1ce1eed14fc76ec1f5c81f4

SHA1
a9ee71451c96e88600713a33c04ecc88927c0c51

SHA256
6d8b52ffb413b1e93426cf0199e5497ca5964c7cb3cdedcc797dd31bcd9ff79a

SHA512
664b9e5211beda302638e9a957a928030d17a916a330a46b8e7b55a941bcf9622db223929071c304325b618f904e01b76d9087911df1f47f00b30f6837f092a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
bdaa4e0bcb64706cb6afe62dfffb62a1

SHA1
f0951cb1344216b487515eb504f004890a8f0bf8

SHA256
8b326e4998862d9b402f3693799f311b4c72b8026122d26ab45f0532f60aa3aa

SHA512
70cebda8e88fb8da429c42e3bfaccdc356c02ba099cf19ceebc7cb1cfcdb898b20816a8f39510aebbaa2e0ee55c7058b964497daf1d57cfd9a345b86cbbb91db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\BF0B.tmp

Filesize
467KB

MD5
d668e5b0f1ce1eed14fc76ec1f5c81f4

SHA1
a9ee71451c96e88600713a33c04ecc88927c0c51

SHA256
6d8b52ffb413b1e93426cf0199e5497ca5964c7cb3cdedcc797dd31bcd9ff79a

SHA512
664b9e5211beda302638e9a957a928030d17a916a330a46b8e7b55a941bcf9622db223929071c304325b618f904e01b76d9087911df1f47f00b30f6837f092a7

Download Submit
memory/2200-61-0x000000002F320000-0x000000002F47D000-memory.dmp

Filesize
1.4MB

Download
memory/2200-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-63-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download
memory/2200-81-0x000000002F320000-0x000000002F47D000-memory.dmp

Filesize
1.4MB

Download
memory/2200-82-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download
memory/2200-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-99-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing