80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427

General

Target

80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe
Size

3.9MB
MD5

9751411cfe130e1b401cfacb13ccfe40
SHA1

36d53268e854c4d9271b2abcca95614dda1e9eab
SHA256

80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427
SHA512

6683cbf2a5f1d396191cfe7c46ac6b88b515c4e7844dd4ae1b90d1bb31eb508f92b7d85fb28fdb9b793a79931d9e6d0c1c3476ea5c39deccbece0bc24fdb5865
SSDEEP

98304:XrecafIV5LadMg6E9nOt1S2jOkTSsTQam6/sygOzy:7dafC5ed7nS1S2j5SscaH/sygO2

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jtkC15D.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\jtkC15D.tmp	acprotect
\Users\Admin\AppData\Local\Temp\jtkC15D.tmp	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1096-55-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1096-67-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exePOWERPNT.EXE

pid process

1096 80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe
268 POWERPNT.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe
268	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

268 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe

pid process

1096 80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe

pid	process
268	POWERPNT.EXE

pid	process
1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exePOWERPNT.EXE

description	pid	process	target process
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 1096 wrote to memory of 268	1096	80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe	POWERPNT.EXE
PID 268 wrote to memory of 1328	268	POWERPNT.EXE	splwow64.exe
PID 268 wrote to memory of 1328	268	POWERPNT.EXE	splwow64.exe
PID 268 wrote to memory of 1328	268	POWERPNT.EXE	splwow64.exe
PID 268 wrote to memory of 1328	268	POWERPNT.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe
"C:\Users\Admin\AppData\Local\Temp\80b0e9b6b64e48605bb67612733393654a231c71187a5de3f3d8afe49a8df427.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\pps5.ppt"
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jtkC15D.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pps5.ppt
Filesize
3.7MB

MD5
26b8dd0257839d200e450c5585d8a587

SHA1
1144d3bece757131bbb489bb261911bc57978f29

SHA256
ff95978437372b006f2b2815bfcf95e177f9855239624927014cad44dcf6cda8

SHA512
6319b24e37cf28cb01bb16bcea2f06f6b991d490226ac2884a990ada90e2b12766a8f24f3acdb4cedc012242ef034892d31bf91aab0d28e07a1ba0d4978ec0a1

Download Submit
\Users\Admin\AppData\Local\Temp\jtkC15D.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\jtkC15D.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/268-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/268-60-0x0000000073701000-0x0000000073705000-memory.dmp

Filesize
16KB

Download
memory/268-62-0x0000000071181000-0x0000000071183000-memory.dmp

Filesize
8KB

Download
memory/268-74-0x000000007216D000-0x0000000072178000-memory.dmp

Filesize
44KB

Download
memory/268-68-0x00000000021A0000-0x0000000002213000-memory.dmp

Filesize
460KB

Download
memory/268-72-0x000000007216D000-0x0000000072178000-memory.dmp

Filesize
44KB

Download
memory/268-76-0x000000007216D000-0x0000000072178000-memory.dmp

Filesize
44KB

Download
memory/268-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1096-65-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/1096-67-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1096-66-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1096-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1096-58-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/1096-57-0x0000000000240000-0x0000000000265000-memory.dmp

Filesize
148KB

Download
memory/1096-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1328-70-0x0000000000000000-mapping.dmp

Download
memory/1328-73-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads