dfbce8af782dc90df9c661e7eb164f0ef0ef39e844db9ba76250406040b2d0a3

General

Target

Proposal ,pdf.ppam
Size

11KB
MD5

3ff57e34cdbfffc45f0cf9b9578d5982
SHA1

7bf5c49a1f1aa12ae40cd22d1c675dacf47b8ca0
SHA256

dfbce8af782dc90df9c661e7eb164f0ef0ef39e844db9ba76250406040b2d0a3
SHA512

8a02be57efa996c7ddae72fe49a839da7f0df280cb4e6367c404db4c380fb683b6a2ebdf1c0f8adc1466dadbd4487d4f08cdb953b52807ab2508534e83e5be54

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C4-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverters"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348C-5A91-11CF-8700-00AA0060263B}\ = "ActionSettings"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ = "FillFormat"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ = "Borders"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345F-5A91-11CF-8700-00AA0060263B}\ = "PrintRange"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\ = "RulerLevel"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A76-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\ = "CanvasShapes"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493497-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Legend"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ = "DiagramNode"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934ED-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Series"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C4-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E0-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1796 POWERPNT.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

1796 POWERPNT.EXE

pid	process
1796	POWERPNT.EXE

pid	process
1796	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1796 wrote to memory of 2016	1796	POWERPNT.EXE	splwow64.exe
PID 1796 wrote to memory of 2016	1796	POWERPNT.EXE	splwow64.exe
PID 1796 wrote to memory of 2016	1796	POWERPNT.EXE	splwow64.exe
PID 1796 wrote to memory of 2016	1796	POWERPNT.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Proposal ,pdf.ppam"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-60-0x0000000074AF1000-0x0000000074AF5000-memory.dmp

Filesize
16KB

Download
memory/1796-61-0x0000000071B81000-0x0000000071B83000-memory.dmp

Filesize
8KB

Download
memory/1796-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1796-65-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/1796-66-0x0000000000532000-0x0000000000595000-memory.dmp

Filesize
396KB

Download
memory/1796-67-0x0000000000532000-0x0000000000595000-memory.dmp

Filesize
396KB

Download
memory/1796-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-63-0x0000000000000000-mapping.dmp

Download
memory/2016-64-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads