99c47b9045bdbccc430ab5730e7d2dadf6f9ac846d6a6e83b923f6917ea26548

General

Target

5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe
Size

467KB
MD5

5402c57e447090a58d4e4d183e58d51b
SHA1

2578d3c44fce6bb0f2a65a9e88c13e06dc787762
SHA256

99c47b9045bdbccc430ab5730e7d2dadf6f9ac846d6a6e83b923f6917ea26548
SHA512

66deb79074d1c73d496f8d80088c12f62a3b4b90de337e5fa094fe9285dccc5dd49edd387c231c983d6f365de9ace14084ca6049a4265c2d8cd6f7d9471eedb3
SSDEEP

12288:Bb4bZudi79LfsFNVfT0bDbatFjhZsnxaodAk:Bb4bcdkLfyFTCStL4aG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	6FD3.tmp

Loads dropped DLL 1 IoCs

pid	Process
3028	5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2936	6FD3.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	WINWORD.EXE
2792	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2936	3028	5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe	28
PID 3028 wrote to memory of 2936	3028	5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe	28
PID 3028 wrote to memory of 2936	3028	5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe	28
PID 3028 wrote to memory of 2936	3028	5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe	28
PID 2936 wrote to memory of 2792	2936	6FD3.tmp	29
PID 2936 wrote to memory of 2792	2936	6FD3.tmp	29
PID 2936 wrote to memory of 2792	2936	6FD3.tmp	29
PID 2936 wrote to memory of 2792	2936	6FD3.tmp	29
PID 2792 wrote to memory of 760	2792	WINWORD.EXE	34
PID 2792 wrote to memory of 760	2792	WINWORD.EXE	34
PID 2792 wrote to memory of 760	2792	WINWORD.EXE	34
PID 2792 wrote to memory of 760	2792	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\6FD3.tmp
  "C:\Users\Admin\AppData\Local\Temp\6FD3.tmp" --helpC:\Users\Admin\AppData\Local\Temp\5402c57e447090a58d4e4d183e58d51b_mafia_JC.exe 9BE4D8AB26BB6EA3049C7E1332332DAAEAAE992446540B34C251C688678D33DA72480FFA501AC75731ADDBF9B130EE2F36A6C7670272EBE7099C41418071E5A0
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5402c57e447090a58d4e4d183e58d51b_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5402c57e447090a58d4e4d183e58d51b_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FD3.tmp

Filesize
467KB

MD5
32789e68494fcd20d0908f8e962048bb

SHA1
a8aab0625f86d6e993636ac7c2f6a4d3f82b72cf

SHA256
b81087fb8117ad5b4f8822f15d5709f05772b2417cbd73ec69ccd559dc1b8d79

SHA512
2e7bb3c63ef1a3fb104116e764c1dc9aff52f58f5d878a883e0137fa40efa39e31a322a1eb9623f9ac6eaa45050ef90c354cfec7b5dadd3df92f524bb917a51e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
98268d67ced4a7acae03d3e5255abc39

SHA1
aea3671f06e10908ca53a5068b5e6dfa7ce30754

SHA256
7b973385919e8de208fc9a7ac2d255fa6fda117713656053c3620cc50f363b05

SHA512
90c67c118cb3045a72923f7bce79ab0c9e52447d8fc871dfbadb490bd0ee5a4cba07084cb9050018b6717bf0b96d6e02f058c7ccdccf9936aa3551c4aa096b3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\6FD3.tmp

Filesize
467KB

MD5
32789e68494fcd20d0908f8e962048bb

SHA1
a8aab0625f86d6e993636ac7c2f6a4d3f82b72cf

SHA256
b81087fb8117ad5b4f8822f15d5709f05772b2417cbd73ec69ccd559dc1b8d79

SHA512
2e7bb3c63ef1a3fb104116e764c1dc9aff52f58f5d878a883e0137fa40efa39e31a322a1eb9623f9ac6eaa45050ef90c354cfec7b5dadd3df92f524bb917a51e

Download Submit
memory/2792-60-0x000000002FC70000-0x000000002FDCD000-memory.dmp

Filesize
1.4MB

Download
memory/2792-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-62-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download
memory/2792-80-0x000000002FC70000-0x000000002FDCD000-memory.dmp

Filesize
1.4MB

Download
memory/2792-81-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download
memory/2792-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-98-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing