a6f04aa198764796113c223c2376a963271cc6e5e9c3747b3193380e808e57aa

General

Target

97159387346555978984a8bbf1aed492_mafia_JC.exe
Size

467KB
MD5

97159387346555978984a8bbf1aed492
SHA1

ea89a065620be080a6adf67616fcf110e94fa4b8
SHA256

a6f04aa198764796113c223c2376a963271cc6e5e9c3747b3193380e808e57aa
SHA512

6ec0e39ccadd2e2081f202e22c60f066eaab96bf50f9bd048bf9ffae3288b311025087160dcb95a15b4714d48f3c11decdb7c2e21a4b4f96cbe7ef555bf172b9
SSDEEP

12288:Bb4bZudi79LLBkRYXKBQrprLhLymqyLGAk:Bb4bcdkLVkRFCV2n

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	78E7.tmp

Loads dropped DLL 1 IoCs

pid	Process
2076	97159387346555978984a8bbf1aed492_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3004	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	78E7.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3004	WINWORD.EXE
3004	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2860	2076	97159387346555978984a8bbf1aed492_mafia_JC.exe	28
PID 2076 wrote to memory of 2860	2076	97159387346555978984a8bbf1aed492_mafia_JC.exe	28
PID 2076 wrote to memory of 2860	2076	97159387346555978984a8bbf1aed492_mafia_JC.exe	28
PID 2076 wrote to memory of 2860	2076	97159387346555978984a8bbf1aed492_mafia_JC.exe	28
PID 2860 wrote to memory of 3004	2860	78E7.tmp	29
PID 2860 wrote to memory of 3004	2860	78E7.tmp	29
PID 2860 wrote to memory of 3004	2860	78E7.tmp	29
PID 2860 wrote to memory of 3004	2860	78E7.tmp	29
PID 3004 wrote to memory of 2700	3004	WINWORD.EXE	34
PID 3004 wrote to memory of 2700	3004	WINWORD.EXE	34
PID 3004 wrote to memory of 2700	3004	WINWORD.EXE	34
PID 3004 wrote to memory of 2700	3004	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\97159387346555978984a8bbf1aed492_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\97159387346555978984a8bbf1aed492_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\78E7.tmp
  "C:\Users\Admin\AppData\Local\Temp\78E7.tmp" --helpC:\Users\Admin\AppData\Local\Temp\97159387346555978984a8bbf1aed492_mafia_JC.exe 31F47A76BEA3EFDE0C92BDB0CD1B799C4EBB25389FAFACDDB318180E6FA9F2013D313BB16762CA345EE9C92DC99FCC8B8A947CC1CCDC71A231196005BE8399F4
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\97159387346555978984a8bbf1aed492_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\78E7.tmp

Filesize
467KB

MD5
4e3971ea0cd048b19630f06745b512e9

SHA1
bb0ce52980eb66861b98086385ae4974037aab10

SHA256
31dcb105d4219a1d1b93be90f03236cb0dd65a8208f25c04c2816be9339ee20d

SHA512
a25f307d446e98c06ae749e6037168ba295aca2ee7eb4b978d00f07c17503722c0c945ea67e32ccae589cdcb01bc2ad76f8401749e32c808967d17ce60f37d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\97159387346555978984a8bbf1aed492_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
30c1a9b365d2f99854a143df696f64c4

SHA1
2584540243d91ac0ec0e53181c18637ad97a9c18

SHA256
dd63cf4a7c86341ad2e44fa4989dd1ed40c8c339abbc3e86b4c8e859ea7b1c06

SHA512
9a912c5443c08ad7cedf3b3e547b01ef623245fb23100f519ded516da9ea0617fa3f600465d191358b3b504ddd3e6d675abe73cdd0777e0fe912b7331ac5b665

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\78E7.tmp

Filesize
467KB

MD5
4e3971ea0cd048b19630f06745b512e9

SHA1
bb0ce52980eb66861b98086385ae4974037aab10

SHA256
31dcb105d4219a1d1b93be90f03236cb0dd65a8208f25c04c2816be9339ee20d

SHA512
a25f307d446e98c06ae749e6037168ba295aca2ee7eb4b978d00f07c17503722c0c945ea67e32ccae589cdcb01bc2ad76f8401749e32c808967d17ce60f37d02

Download Submit
memory/3004-61-0x000000002F500000-0x000000002F65D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-63-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download
memory/3004-68-0x000000002F500000-0x000000002F65D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-69-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download
memory/3004-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-99-0x00000000715CD000-0x00000000715D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing