d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387

General

Target

Reserva Cancelar.ppam
Size

8KB
MD5

f7d4d5e2956183dce4ba10720c701152
SHA1

03b9e2cc094459a6df2fed97f5883b83e982fdf6
SHA256

d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387
SHA512

b27699a17f1bcba03bd06c695212e186b433b0178eb0b039660a8c8358315c00c6309a9f77953608d6f48f0105d80b96a7e69e98681969864098750eb3731fd4
SSDEEP

192:xrXP/cgesPouvhbzvPKPCyDwlLMYOHqvro3h:dXPne8ouvNPKPC2HqsR

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2560	2404	cmd.exe	POWERPNT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934B9-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\ = "ProtectedViewWindows"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ = "ResampleMediaTasks"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A74-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A64-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493494-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349B-5A91-11CF-8700-00AA0060263B}\ = "TextStyleLevel"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "Walls"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493458-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493484-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D4-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ = "FreeformBuilder"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493462-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493485-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ = "ShapeNode"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2480 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2404 POWERPNT.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2404 POWERPNT.EXE

pid	process
2480	PING.EXE

pid	process
2404	POWERPNT.EXE

pid	process
2404	POWERPNT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

POWERPNT.EXEcmd.exe

description	pid	process	target process
PID 2404 wrote to memory of 1888	2404	POWERPNT.EXE	splwow64.exe
PID 2404 wrote to memory of 1888	2404	POWERPNT.EXE	splwow64.exe
PID 2404 wrote to memory of 1888	2404	POWERPNT.EXE	splwow64.exe
PID 2404 wrote to memory of 1888	2404	POWERPNT.EXE	splwow64.exe
PID 2404 wrote to memory of 2560	2404	POWERPNT.EXE	cmd.exe
PID 2404 wrote to memory of 2560	2404	POWERPNT.EXE	cmd.exe
PID 2404 wrote to memory of 2560	2404	POWERPNT.EXE	cmd.exe
PID 2404 wrote to memory of 2560	2404	POWERPNT.EXE	cmd.exe
PID 2560 wrote to memory of 2480	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2480	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2480	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2480	2560	cmd.exe	PING.EXE

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva Cancelar.ppam"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.vbs
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2404-0-0x000000002DF11000-0x000000002DF12000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2404-2-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/2404-6-0x0000000004970000-0x0000000004A70000-memory.dmp

Filesize
1024KB

Download
memory/2404-8-0x0000000004970000-0x0000000004A70000-memory.dmp

Filesize
1024KB

Download
memory/2404-9-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2404-10-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/2560-21-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads