56997e3f1d25faa0eea9091f72d20ae6384f180b7dc9940b3f6a814b32daebd9

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:43

Target

56997e3f1d25faa0eea9091f72d20ae6384f180b7dc9940b3f6a814b32daebd9.pps
Size

597KB
MD5

1d1c288d5b5464d9d28d054f98a45790
SHA1

4d3d3df51384e3ad1df25771cf02072d389df079
SHA256

56997e3f1d25faa0eea9091f72d20ae6384f180b7dc9940b3f6a814b32daebd9
SHA512

e200f3569d0ecb7190cc27c1e588ec6e40a5b44d87ac81938320e7a3f357f61444a25d9365e452f9592bbd963b225143eda6be020d3487105f4222b9b9062382
SSDEEP

1536:cZnc4LoAzpPsnnrvcyGnTZuqWFQizm+ayDZN6cKfKBg2Bt386MJMEVHkkjlRiUHR:PyRjwJTR1+rl3

Score

1^/10

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1292 POWERPNT.EXE

pid	process
1292	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1292 wrote to memory of 984	1292	POWERPNT.EXE	splwow64.exe
PID 1292 wrote to memory of 984	1292	POWERPNT.EXE	splwow64.exe
PID 1292 wrote to memory of 984	1292	POWERPNT.EXE	splwow64.exe
PID 1292 wrote to memory of 984	1292	POWERPNT.EXE	splwow64.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/984-57-0x0000000000000000-mapping.dmp

Download
memory/984-60-0x000007FEFC211000-0x000007FEFC213000-memory.dmp

Filesize
8KB

Download
memory/1292-54-0x0000000074761000-0x0000000074765000-memory.dmp

Filesize
16KB

Download
memory/1292-55-0x0000000071AB1000-0x0000000071AB3000-memory.dmp

Filesize
8KB

Download
memory/1292-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-58-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-59-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

Filesize
44KB

Download
memory/1292-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-62-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

Filesize
44KB

Download