37a75a6c41c98751b7de67c12833f0bbac6fef84ef32b563d609265ffb8286ff

General

Target

7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe
Size

467KB
MD5

7c7adf1b530bda74e313c9ee6f264f0e
SHA1

e516adbe23db32002e45ba24c28c5fae7b2e3531
SHA256

37a75a6c41c98751b7de67c12833f0bbac6fef84ef32b563d609265ffb8286ff
SHA512

125a287127650785d7cab7d9889a544d0cd71b49594010a55c1d2c8c04912317bfdf2564259f2cd949b2d657e3fbed2fc2583a1c6e04c054012c26fc04b9ddc7
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStiq4Vtg+aixbIhnzPgi9VBJuGMMFIuU4ZSdw:Bb4bZudi79LfaqihzoISHvvyV+2fAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	84F8.tmp

Loads dropped DLL 1 IoCs

pid	Process
1196	7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2088	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2592	84F8.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	WINWORD.EXE
2088	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2592	1196	7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe	28
PID 1196 wrote to memory of 2592	1196	7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe	28
PID 1196 wrote to memory of 2592	1196	7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe	28
PID 1196 wrote to memory of 2592	1196	7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe	28
PID 2592 wrote to memory of 2088	2592	84F8.tmp	29
PID 2592 wrote to memory of 2088	2592	84F8.tmp	29
PID 2592 wrote to memory of 2088	2592	84F8.tmp	29
PID 2592 wrote to memory of 2088	2592	84F8.tmp	29
PID 2088 wrote to memory of 476	2088	WINWORD.EXE	34
PID 2088 wrote to memory of 476	2088	WINWORD.EXE	34
PID 2088 wrote to memory of 476	2088	WINWORD.EXE	34
PID 2088 wrote to memory of 476	2088	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\84F8.tmp
  "C:\Users\Admin\AppData\Local\Temp\84F8.tmp" --helpC:\Users\Admin\AppData\Local\Temp\7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.exe 3E892DDC1885F0D6A312540ABA97C2CE945EAFD4E4F230853E7E61503E8D1510183BC997F0D29C5739A69CC875B77F80CF69530F7AFBBB0A961978FDA6FDA63A
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c7adf1b530bda74e313c9ee6f264f0e_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\84F8.tmp

Filesize
467KB

MD5
cf138bb19e1e8399354754a42a386c38

SHA1
a14d0d57f34c6a6628f02fc86dfe7f500ce0ff1c

SHA256
b42c10a8648a7f8b437e6525eb8ed80b4e8f5ed0b5853c93aa3883e6b12f0b53

SHA512
8f7c7072ac2def514271dd29338e9110dde4d641f44fbd40a22dd86d67991bcb623c080948d3a17da8c3043102dcadffe02aae81c15afa69d53e7773be3d449e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
b170baa25fe5df4c6a270148c0e11aec

SHA1
34498565e5f753224e5e6f3e58e01524a8f25e62

SHA256
e3984f43d4c16e3dd69739deb74741a1455fdf35d948c5697643ad65918fde81

SHA512
b8f453d7a2190d88ff6929571306062610f756cbd9015efbf7002ecfa7b28f56544211a3993207fa162c231c73f500446beba006bb4e57ddf14ed468049925c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\84F8.tmp

Filesize
467KB

MD5
cf138bb19e1e8399354754a42a386c38

SHA1
a14d0d57f34c6a6628f02fc86dfe7f500ce0ff1c

SHA256
b42c10a8648a7f8b437e6525eb8ed80b4e8f5ed0b5853c93aa3883e6b12f0b53

SHA512
8f7c7072ac2def514271dd29338e9110dde4d641f44fbd40a22dd86d67991bcb623c080948d3a17da8c3043102dcadffe02aae81c15afa69d53e7773be3d449e

Download Submit
memory/2088-61-0x000000002FC60000-0x000000002FDBD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-63-0x00000000714CD000-0x00000000714D8000-memory.dmp

Filesize
44KB

Download
memory/2088-68-0x000000002FC60000-0x000000002FDBD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-82-0x00000000714CD000-0x00000000714D8000-memory.dmp

Filesize
44KB

Download
memory/2088-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-99-0x00000000714CD000-0x00000000714D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing