82be061b2bfe48ee3a9f76ee99cf6f3ed712c0c1393ad4a9f064cfc4d11cb53d

General

Target

Video Drawing P.O.#4210020253.pps
Size

367KB
MD5

9ce5a1a804496ce739ecce3dcaaf21d1
SHA1

d1a695c3b9e4801bcb2b1cdc748cf6c800d41fa0
SHA256

82be061b2bfe48ee3a9f76ee99cf6f3ed712c0c1393ad4a9f064cfc4d11cb53d
SHA512

7ef0a0380f7baa72bbf6985b023b2346d6f8b1ea54d2e4dfb7da4ac0a9d0f3cdafb81e91eaa44c5568f6c1ca8f99abc13a1af8b082b158b04d6084fc3495daad

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1068 POWERPNT.EXE

pid	process
1068	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1068 wrote to memory of 1224	1068	POWERPNT.EXE	splwow64.exe
PID 1068 wrote to memory of 1224	1068	POWERPNT.EXE	splwow64.exe
PID 1068 wrote to memory of 1224	1068	POWERPNT.EXE	splwow64.exe
PID 1068 wrote to memory of 1224	1068	POWERPNT.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Video Drawing P.O.#4210020253.pps"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-2-0x00000000745E1000-0x00000000745E5000-memory.dmp

Filesize
16KB

Download
memory/1068-3-0x0000000071681000-0x0000000071683000-memory.dmp

Filesize
8KB

Download
memory/1068-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1224-5-0x0000000000000000-mapping.dmp

Download
memory/1224-6-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing