Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 07:14

General

  • Target

    Reserva Cancelar.ppam

  • Size

    8KB

  • MD5

    f7d4d5e2956183dce4ba10720c701152

  • SHA1

    03b9e2cc094459a6df2fed97f5883b83e982fdf6

  • SHA256

    d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387

  • SHA512

    b27699a17f1bcba03bd06c695212e186b433b0178eb0b039660a8c8358315c00c6309a9f77953608d6f48f0105d80b96a7e69e98681969864098750eb3731fd4

  • SSDEEP

    192:xrXP/cgesPouvhbzvPKPCyDwlLMYOHqvro3h:dXPne8ouvNPKPC2HqsR

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva Cancelar.ppam"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.vbs
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 10
          3⤵
          • Runs ping.exe
          PID:2480

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2404-0-0x000000002DF11000-0x000000002DF12000-memory.dmp
      Filesize

      4KB

    • memory/2404-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/2404-2-0x0000000072BED000-0x0000000072BF8000-memory.dmp
      Filesize

      44KB

    • memory/2404-6-0x0000000004970000-0x0000000004A70000-memory.dmp
      Filesize

      1024KB

    • memory/2404-8-0x0000000004970000-0x0000000004A70000-memory.dmp
      Filesize

      1024KB

    • memory/2404-9-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/2404-10-0x0000000072BED000-0x0000000072BF8000-memory.dmp
      Filesize

      44KB

    • memory/2560-21-0x0000000000610000-0x0000000000611000-memory.dmp
      Filesize

      4KB