7d887e39bbb67f8c50cd36743e2b98ba96e6df226aa49e38c51c919cf2ec8c8e

General

Target

7d887e39bbb67f8c50cd36743e2b98ba96e6df226aa49e38c51c919cf2ec8c8e.pps
Size

682KB
MD5

cb0bd0bf38342c8fda2b6f8ae761c46d
SHA1

a6a19a8f1d1ba6f1d6a0b3494288120f3521d28b
SHA256

7d887e39bbb67f8c50cd36743e2b98ba96e6df226aa49e38c51c919cf2ec8c8e
SHA512

9592aa6ab053c5ca34f0677226a9c7a04f40bfeaefa4160ed82930d4acc42fb2026470fc048f50b703ba5d409a3274bbade4d26388ec67a9628e0aef4eac1418
SSDEEP

12288:5iXupIuCH0bz1NInOlNT15kQfnxeYnWzAlNT15BQrxs9V:5iX6ITonx5kAFKxs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1232	POWERPNT.EXE
1780	POWERPNT.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1232	POWERPNT.EXE
1780	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1232	POWERPNT.EXE
1232	POWERPNT.EXE
1232	POWERPNT.EXE
1780	POWERPNT.EXE
1780	POWERPNT.EXE
1780	POWERPNT.EXE
1780	POWERPNT.EXE
1780	POWERPNT.EXE
1780	POWERPNT.EXE

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\7d887e39bbb67f8c50cd36743e2b98ba96e6df226aa49e38c51c919cf2ec8c8e.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
806dad69f232b7bf0b66da464f1bfbef

SHA1
6323f1c9deec664655f8ace965eb1c45fbe786e8

SHA256
4dd5e391d6d57deac3e9763970e1bc12d03100918d1bb55270651d4ba520dfda

SHA512
d7342a3a3ffe77ee858343478667cce61aa6e806579079ed13e9048f324220b49681063189118884eefabfa65b90a82151b6f1525026eb75745928feb010c259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
416B

MD5
17c1ca0bd1f2eab1e4a781dedd3d4022

SHA1
9e0ffd820bd5e6ee8c0ef69f4859f4e7989e0db9

SHA256
6d7a22930dcbaf0ee96405657beb971ad0b52a029648f5df849600ff63b0dca2

SHA512
ead6ee1bd24dd0e64221f59d373ee0921ef2a672c5909ca402afe245b0658d11eaabfec01861ba8304971ca683dad8535c8fedfec4ae09224382e91249fa45f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
370KB

MD5
106fd02d763e3fe505ae01027f47f396

SHA1
32d2f26d1bcb13ff7337af5853e183c14a26d6ea

SHA256
2ac96b10301b53f4306aa73c5f575c78029cfa855a43ce7e3ec16bf1a6e04b04

SHA512
11ba1a0b6b01c7bc9c059c98652c80732624c8ae2435f98c27ae959e4747200aa1f32775b43a1cfd23a7c6e7315d4e303b7d69eed7d76d9972a8ffaeb4ade207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/1232-138-0x00007FFF58060000-0x00007FFF58070000-memory.dmp

Filesize
64KB

Download
memory/1232-137-0x00007FFF58060000-0x00007FFF58070000-memory.dmp

Filesize
64KB

Download
memory/1232-140-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-141-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-142-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-143-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-132-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-134-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-133-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-135-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1232-136-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-144-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-150-0x00007FFF58060000-0x00007FFF58070000-memory.dmp

Filesize
64KB

Download
memory/1780-149-0x00007FFF58060000-0x00007FFF58070000-memory.dmp

Filesize
64KB

Download
memory/1780-148-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-147-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-146-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-145-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-157-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-158-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-159-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download
memory/1780-160-0x00007FFF5A410000-0x00007FFF5A420000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads