c928e9f34dde5a3b2756485f93926b09d243b2cbba46d6503fd0b3f022a918c3

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.ps1
Size

18B
MD5

ca3582b73218c2cddaf9cd2911df81eb
SHA1

7b80db3d22d3a7f2c687ebc6bba66666bc8394a1
SHA256

c928e9f34dde5a3b2756485f93926b09d243b2cbba46d6503fd0b3f022a918c3
SHA512

92f3f2f7b300f1990cbe62ee3e71228ab13fc378d491c2caaf1e4053c3aeb255cbc55449946bdbb365422ce059a3e2f9a872bfa9c9a3e85c9714583a3c90c309

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
564	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe
Token: 33	848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	848	AUDIODG.EXE
Token: 33	848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	848	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
564	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1796	564	POWERPNT.EXE	31
PID 564 wrote to memory of 1796	564	POWERPNT.EXE	31
PID 564 wrote to memory of 1796	564	POWERPNT.EXE	31
PID 564 wrote to memory of 1796	564	POWERPNT.EXE	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\WriteRemove.odp"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/564-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1724-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-59-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1724-60-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/1724-61-0x00000000029EB000-0x0000000002A22000-memory.dmp

Filesize
220KB

Download