Overview

overview

10

Static

static

8

New Purcha...er.ppt

windows7_x64

10

New Purcha...er.ppt

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-03-2021 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Purchase Order.ppt

  • Size

    66KB

  • MD5

    20884369d25aeb20f8a45c464cab0ff4

  • SHA1

    c81fe784cb90f374d6790fad65a0144f9bfce85f

  • SHA256

    0d8264e6c9f93db868184bedfd0c54b5ad4ab8dd81b90c2e2106da6c1e9a4d3b

  • SHA512

    9a0779d95cbd8dcd73a827da6e3654b1a55508f4b6886e9cd7b5e628833b54bb5c147aa966d0afa39b8cd4fa47d9b4155be62e752aa331a5f872f67a82048c07

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.ppt"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1292
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1800
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1748
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1796
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1732
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1440
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1564
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1584
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1064
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1520
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1500
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1096
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:2044
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:680
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:632
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1852
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:824

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/632-20-0x0000000000000000-mapping.dmp
      Download
    • memory/680-19-0x0000000000000000-mapping.dmp
      Download
    • memory/824-21-0x0000000000000000-mapping.dmp
      Download
    • memory/1064-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1096-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-6-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1500-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1520-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1564-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1584-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-2-0x0000000073EB1000-0x0000000073EB5000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1668-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1668-3-0x0000000071001000-0x0000000071003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1732-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1748-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1800-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1852-22-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-18-0x0000000000000000-mapping.dmp
      Download