e773c1798b739f3141836a286e13ef697bfdb3b9aae66f61984a1ad590328097

General

Target

99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe
Size

467KB
MD5

99dfe5fa8cd1cb430f9b94041db1a6d6
SHA1

ff562f65e8bc358d104f749fdb26d510f01cc088
SHA256

e773c1798b739f3141836a286e13ef697bfdb3b9aae66f61984a1ad590328097
SHA512

52f2e0c4758374f8a2a6eaa3a8889526461e34d39969270e15f619512a4edb6c464b4112445d6de383f7e3f4ba0120e96291b3f5cf50dabd33cebb629a8fe42d
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iStfmzSvn1GmQaQfLkoP7aj/a/Kg/qHxP9wMKT:Bb4bZudi79L4v1GmdQfLkxDaSPnC4kAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	6900.tmp

Loads dropped DLL 1 IoCs

pid	Process
2812	99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2164	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	6900.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	WINWORD.EXE
2164	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2924	2812	99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe	28
PID 2812 wrote to memory of 2924	2812	99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe	28
PID 2812 wrote to memory of 2924	2812	99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe	28
PID 2812 wrote to memory of 2924	2812	99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe	28
PID 2924 wrote to memory of 2164	2924	6900.tmp	29
PID 2924 wrote to memory of 2164	2924	6900.tmp	29
PID 2924 wrote to memory of 2164	2924	6900.tmp	29
PID 2924 wrote to memory of 2164	2924	6900.tmp	29
PID 2164 wrote to memory of 1428	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 1428	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 1428	2164	WINWORD.EXE	34
PID 2164 wrote to memory of 1428	2164	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe
"C:\Users\Admin\AppData\Local\Temp\99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\6900.tmp
  "C:\Users\Admin\AppData\Local\Temp\6900.tmp" --helpC:\Users\Admin\AppData\Local\Temp\99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.exe F6076AC087D679F204A17C50B2D5861E1E4F85B1A0B074AB98AD735D8B74FF75E7B36D91948025BBD9FC76CB26CA20ECBE000073FF4F4B0C880E926CE03FB5E5
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6900.tmp

Filesize
467KB

MD5
ffd97645cdf20994f656cbc23afab232

SHA1
72ad79d4530c287e6bcfa0534cc90b195e373b2c

SHA256
b9a7a0c65c763c4939a56a493404a78187f61ba44addb57b7256f700d2dd696e

SHA512
6fa30b69a56d04946dd2f84df24607b2b167e8a6c23292049f1d773c5a0d8b5df0e5371d2eb7b91317047b1d31c1ad71922b97af1bf5a10d79fa84e0c1e06c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\99dfe5fa8cd1cb430f9b94041db1a6d6_mafia_JC.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6e2dedf81e83b34e0562e5dd7415fcaf

SHA1
2199bc4534198558c2dbbcfbde6a707f03846795

SHA256
b4ae5af4dfc05a83660b081a8d925390e4ce24f8a052ac380a045b3f2e9ae065

SHA512
14acb2d00be0d0abb815d8a08eb99f861e0942768168df02ff5893e41aa03a3ee12782fbb479388adb85bd41de5d554cff239dea28689e86c8d455a757ce41cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\6900.tmp

Filesize
467KB

MD5
ffd97645cdf20994f656cbc23afab232

SHA1
72ad79d4530c287e6bcfa0534cc90b195e373b2c

SHA256
b9a7a0c65c763c4939a56a493404a78187f61ba44addb57b7256f700d2dd696e

SHA512
6fa30b69a56d04946dd2f84df24607b2b167e8a6c23292049f1d773c5a0d8b5df0e5371d2eb7b91317047b1d31c1ad71922b97af1bf5a10d79fa84e0c1e06c60

Download Submit
memory/2164-61-0x000000002F850000-0x000000002F9AD000-memory.dmp

Filesize
1.4MB

Download
memory/2164-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-63-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/2164-81-0x000000002F850000-0x000000002F9AD000-memory.dmp

Filesize
1.4MB

Download
memory/2164-82-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download
memory/2164-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-99-0x00000000713ED000-0x00000000713F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing