28fa164871427d01b1856c4fedadc8a615e693081da18cad9133ce2a6ea4807a

General

Target

swift copy,pdf.ppam
Size

1KB
MD5

2e6cecc90d6639787e46a0077978550c
SHA1

52f8942a5d0152d0ce1a2d2659b516601eeb5c69
SHA256

28fa164871427d01b1856c4fedadc8a615e693081da18cad9133ce2a6ea4807a
SHA512

e4d16176c4744d74f9ce2fc39a1b281d998b10eee0a4e97215d7c473b8306a8099a9c1e55a952750746ac0f65da940a5e39cbd7e2e4d582ecf8c6e35e69d66ba

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1728 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXE

pid process

1728 POWERPNT.EXE
1728 POWERPNT.EXE

pid	process
1728	POWERPNT.EXE

pid	process
1728	POWERPNT.EXE
1728	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1728 wrote to memory of 1380	1728	POWERPNT.EXE	splwow64.exe
PID 1728 wrote to memory of 1380	1728	POWERPNT.EXE	splwow64.exe
PID 1728 wrote to memory of 1380	1728	POWERPNT.EXE	splwow64.exe
PID 1728 wrote to memory of 1380	1728	POWERPNT.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\swift copy,pdf.ppam"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-63-0x0000000000000000-mapping.dmp

Download
memory/1380-65-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/1728-60-0x00000000736C1000-0x00000000736C5000-memory.dmp

Filesize
16KB

Download
memory/1728-61-0x0000000070E21000-0x0000000070E23000-memory.dmp

Filesize
8KB

Download
memory/1728-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-64-0x0000000075161000-0x0000000075163000-memory.dmp

Filesize
8KB

Download
memory/1728-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing