f37d74514f1eac869f55ce9cd8916f5418191eb1a867a39bdfbc42bc88af0324

General

Target

Slip Comfirmation 04032021.pps
Size

99KB
MD5

0c97e932dd91c0f57d2cd4653a381317
SHA1

b8409f69937b115bed141903ac73ab51f7129e21
SHA256

705e140960cb61520e6079b2d98ae5088014f4831da1e281c10d560281a17dea
SHA512

db4826ef7779c0acd5e4eb89ed962277b3fd0ec86967e3f6cc0f2ddbd8133eff14d98117108a97445214f6a65eeda843045cb4fb483ce11d858cbff5e3e75045

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1656 POWERPNT.EXE

pid	process
1656	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1656 wrote to memory of 2036	1656	POWERPNT.EXE	splwow64.exe
PID 1656 wrote to memory of 2036	1656	POWERPNT.EXE	splwow64.exe
PID 1656 wrote to memory of 2036	1656	POWERPNT.EXE	splwow64.exe
PID 1656 wrote to memory of 2036	1656	POWERPNT.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\Slip Comfirmation 04032021.pps"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-2-0x00000000743E1000-0x00000000743E5000-memory.dmp

Filesize
16KB

Download
memory/1656-3-0x0000000071A81000-0x0000000071A83000-memory.dmp

Filesize
8KB

Download
memory/1656-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-5-0x0000000000000000-mapping.dmp

Download
memory/2036-6-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing