853882f5ba6658554595687e63b77f101f5a98c0ee51221ea5fcae7c1c22e91e

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de5fcbc819ec322d272fa837ce4687900edf001801f112d948e1e9153b54ace1.ppam
Size

19KB
MD5

19340e33293b639bbfe02140f8749898
SHA1

c4cdfe28f4f6df7f466fd1003ba69be2b7c415ad
SHA256

de5fcbc819ec322d272fa837ce4687900edf001801f112d948e1e9153b54ace1
SHA512

3d8b76e46c16e02b4e81def7aa3136e27953d01485fb66ca8e212515b54d37de4f47b0ae138e7da26b13499699623ef0673caf65cfef164093eadaf25c0c2f26
SSDEEP

384:dXPtARUVRAdDSivl9m2u7q26MMUbcL7tXQNK7tEiyzH+m86rZYiC:VPtT3AZSid56qh/UbcSNK7+Pze6+iC

Score

10^/10

Malware Config

Extracted

Language

vba

URLs

vba.dropper

https://wtools.io/code/dl/bMfk

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3460	POWERPNT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3460	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3460	POWERPNT.EXE
3460	POWERPNT.EXE
3460	POWERPNT.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\de5fcbc819ec322d272fa837ce4687900edf001801f112d948e1e9153b54ace1.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-133-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-134-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-135-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-136-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-137-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-138-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

Filesize
64KB

Download
memory/3460-139-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

Filesize
64KB

Download
memory/3460-147-0x0000016B714A0000-0x0000016B716A0000-memory.dmp

Filesize
2.0MB

Download
memory/3460-152-0x0000016B714A0000-0x0000016B716A0000-memory.dmp

Filesize
2.0MB

Download
memory/3460-163-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-164-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-165-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download
memory/3460-166-0x00007FFF8C4F0000-0x00007FFF8C500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads