1168516ead0c0682bd0633096a93924438a64805b6afa66aca74ce54063e718f

General

Target

6045de5a59286744b39c57889fd106d1_mafia_JC.exe
Size

465KB
MD5

6045de5a59286744b39c57889fd106d1
SHA1

8d75922352ee6b2f0e733991dc7edbe665ba5906
SHA256

1168516ead0c0682bd0633096a93924438a64805b6afa66aca74ce54063e718f
SHA512

3b6571fd8f4c6034c68e35d5846668876785c17b17cc0f8ea201a07b57509f0c58b5f5e6e208289155c6be036f7917bf70cad723a6b03420c09b39e5bbcfc04b
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iSthdjNE9IEA2dnz7tsIV3sMqC+J2CTD8wJQvA:Bb4bZudi79LAjGxZdKMqPJPTA8QxAZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2804	7ACB.tmp

Loads dropped DLL 1 IoCs

pid	Process
2568	6045de5a59286744b39c57889fd106d1_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2804	7ACB.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	WINWORD.EXE
2068	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2804	2568	6045de5a59286744b39c57889fd106d1_mafia_JC.exe	28
PID 2568 wrote to memory of 2804	2568	6045de5a59286744b39c57889fd106d1_mafia_JC.exe	28
PID 2568 wrote to memory of 2804	2568	6045de5a59286744b39c57889fd106d1_mafia_JC.exe	28
PID 2568 wrote to memory of 2804	2568	6045de5a59286744b39c57889fd106d1_mafia_JC.exe	28
PID 2804 wrote to memory of 2068	2804	7ACB.tmp	29
PID 2804 wrote to memory of 2068	2804	7ACB.tmp	29
PID 2804 wrote to memory of 2068	2804	7ACB.tmp	29
PID 2804 wrote to memory of 2068	2804	7ACB.tmp	29
PID 2068 wrote to memory of 1600	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 1600	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 1600	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 1600	2068	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\6045de5a59286744b39c57889fd106d1_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6045de5a59286744b39c57889fd106d1_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\7ACB.tmp
  "C:\Users\Admin\AppData\Local\Temp\7ACB.tmp" --helpC:\Users\Admin\AppData\Local\Temp\6045de5a59286744b39c57889fd106d1_mafia_JC.exe 492C90F42175446BCF72113337BB2EC7C11C88675F7B82D9D51790089FBC36E76F7AA4E16FC3C1AAAC6E89DD7899A64320BC7C2CA361D5C506E3E255BCD40DAE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6045de5a59286744b39c57889fd106d1_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6045de5a59286744b39c57889fd106d1_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ACB.tmp

Filesize
465KB

MD5
21f8cb3071ce0d340a55ea8229a5eb62

SHA1
d5aa42a51851131a05fc3b5e8a94db5c6ccb0051

SHA256
230a1e1abd6cb2f416bb5f4dd958243cb1e2f3b88a84fd0afeb8ffef0db56023

SHA512
53f177c7a343e20aa2c17d140f343b0fee64e5cba24a0ef5c664275f1a78f64106233bbd27df262de0c0b3dd5611a00759bc87c0bc333ed89f919c5c02233bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f907f36310540db6cc1d36c63f1ff1e5

SHA1
f3fb473eed4fcf69cd88836ded266e8a465b47f5

SHA256
9a5f063ed42eca960cd94b9480dc24e854db0d696c3e6019918bb311e4b1c8ff

SHA512
a89b0895f6cf0f0952d3ed66c4148cc35faab6d83897aa00f604d2a6b0c95d9b2f798b035de7b60dbdbdf64a5149e49918efbf266d6f9e1883d8687c90148646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\7ACB.tmp

Filesize
465KB

MD5
21f8cb3071ce0d340a55ea8229a5eb62

SHA1
d5aa42a51851131a05fc3b5e8a94db5c6ccb0051

SHA256
230a1e1abd6cb2f416bb5f4dd958243cb1e2f3b88a84fd0afeb8ffef0db56023

SHA512
53f177c7a343e20aa2c17d140f343b0fee64e5cba24a0ef5c664275f1a78f64106233bbd27df262de0c0b3dd5611a00759bc87c0bc333ed89f919c5c02233bcd

Download Submit
memory/2068-61-0x000000002F4A0000-0x000000002F5FD000-memory.dmp

Filesize
1.4MB

Download
memory/2068-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2068-63-0x00000000716DD000-0x00000000716E8000-memory.dmp

Filesize
44KB

Download
memory/2068-81-0x000000002F4A0000-0x000000002F5FD000-memory.dmp

Filesize
1.4MB

Download
memory/2068-82-0x00000000716DD000-0x00000000716E8000-memory.dmp

Filesize
44KB

Download
memory/2068-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2068-99-0x00000000716DD000-0x00000000716E8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing