b69c6fc17575f05d6da67cc78857ebae1acb8be3babf270e899710e8dfe8f37b

General

Target

بررسی شبکه های سنسوری بیسیم در مخابرات/Powerpoint/بررسی شبک�.pps
Size

5.8MB
MD5

024143d90f67bc5e2fc627337b9eaa01
SHA1

fe838ef8c8e16195b2da50162a2b1a53453a2a9e
SHA256

9758f72d461cbb0bb86306bdc378c3fca34ae5cf9430acbecc83809ef438d052
SHA512

a6f88a107c908846f7d26b0127e8b3fcf75b7d29d24f639b179463dfd634e094b5190373ddf2dc7ac3edc22de3ac29eaed091c7a5c1421268998f4324ec6b782
SSDEEP

98304:y1Y0FetZnnqakFWVjA6PvxIHD8z9CYXqvnHvlDpm8ObJ3OLq08tp0:oYket5kF6jAkxIj8z9CGSHdqbJ3eq08E

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2876	1692	DW20.EXE	27

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1692	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	POWERPNT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2284	1692	POWERPNT.EXE	28
PID 1692 wrote to memory of 2284	1692	POWERPNT.EXE	28
PID 1692 wrote to memory of 2284	1692	POWERPNT.EXE	28
PID 1692 wrote to memory of 2284	1692	POWERPNT.EXE	28
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 1692 wrote to memory of 2876	1692	POWERPNT.EXE	29
PID 2876 wrote to memory of 2612	2876	DW20.EXE	30
PID 2876 wrote to memory of 2612	2876	DW20.EXE	30
PID 2876 wrote to memory of 2612	2876	DW20.EXE	30
PID 2876 wrote to memory of 2612	2876	DW20.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\بررسی شبکه های سنسوری بیسیم در مخابرات\Powerpoint\بررسی شبک�.pps"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2284
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 856
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 856
    3⤵
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259432299.cvr

Filesize
628B

MD5
5f9b98053c9b7a80fd650ee453ade775

SHA1
66a8e3e9dd3058250c6247a326ccafeea2cddfec

SHA256
3d2a69f24bc45709ec8157f1a440404ae5d1e26f2faca467477b1eff6ffc74a2

SHA512
20bf03c7c9b937ab547be3a492b101e1cb2b2f49f6dd6fc83f3e88efe2c79165d09256eefdf63c0e9606ce2bc8c8c5f847fb1be1bae099b02d7901aa2023fbac

Download Submit
memory/1692-0-0x000000002DAC1000-0x000000002DAC2000-memory.dmp

Filesize
4KB

Download
memory/1692-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-2-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/1692-4-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/1692-11-0x000000007232D000-0x0000000072338000-memory.dmp

Filesize
44KB

Download
memory/2612-10-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing