7df670fa6de80e87fa03dfba84f5777054d5a55737f8fce07679a637342250a3

General

Target

SecuriteInfo.com.Heur.19445.20366.pps
Size

143KB
MD5

c475bbc0142c89758cb3f15625f5dee7
SHA1

eea1ff58d1a0b6a471f9a34d97b102c2cd0a3431
SHA256

7df670fa6de80e87fa03dfba84f5777054d5a55737f8fce07679a637342250a3
SHA512

241a3575dd78dcc2b4f20d20a46f53f4910c7e613ba1dba87b5dd7c9aaa4cc5ebf83784c2560e60fee5ad11732cb3a36a445a6cc82ae851e10367fbbdda8ad9f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

548 POWERPNT.EXE

pid	process
548	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 548 wrote to memory of 1920	548	POWERPNT.EXE	splwow64.exe
PID 548 wrote to memory of 1920	548	POWERPNT.EXE	splwow64.exe
PID 548 wrote to memory of 1920	548	POWERPNT.EXE	splwow64.exe
PID 548 wrote to memory of 1920	548	POWERPNT.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.19445.20366.pps"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-2-0x00000000748F1000-0x00000000748F5000-memory.dmp

Filesize
16KB

Download
memory/548-3-0x0000000071AA1000-0x0000000071AA3000-memory.dmp

Filesize
8KB

Download
memory/548-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1920-5-0x0000000000000000-mapping.dmp

Download
memory/1920-6-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing