9c13c1623344db34cf9e30c98e572a76eaa5772419c0558f5219c7551054b820

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerPoint_Soft_new.exe
Size

65.6MB
MD5

afcc5f484ef62ed4e16950e5befcdc3a
SHA1

d04b96ae17157e621b1835c946238ca63a6458a2
SHA256

9c13c1623344db34cf9e30c98e572a76eaa5772419c0558f5219c7551054b820
SHA512

a57c83ab8fa2257b7eddbf6a275ed466c3945547402f535428b0dcadc217e4022ac652fec3f8c821cc6e5aac8440e9d5db5c6e6c336585b33885ff8d1cd49486
SSDEEP

1572864:syOTlnb3zkYUWPHMjEBzQZ6RM1IpLRjzxAGqgZtDhDMGd:aUYUWPacz6wRj9eoSGd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
64	PowerPoint_Soft_new.tmp

Loads dropped DLL 1 IoCs

pid	Process
64	PowerPoint_Soft_new.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3464	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3464	POWERPNT.EXE
3464	POWERPNT.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 64	3992	PowerPoint_Soft_new.exe	88
PID 3992 wrote to memory of 64	3992	PowerPoint_Soft_new.exe	88
PID 3992 wrote to memory of 64	3992	PowerPoint_Soft_new.exe	88

C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe
"C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\is-QIR80.tmp\PowerPoint_Soft_new.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QIR80.tmp\PowerPoint_Soft_new.tmp" /SL5="$A0182,67751279,943104,C:\Users\Admin\AppData\Local\Temp\PowerPoint_Soft_new.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:64

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QIR80.tmp\PowerPoint_Soft_new.tmp

Filesize
3.1MB

MD5
5c993694eae2d266b710c50c7217ba25

SHA1
18b3a239975558fb64553838f5f1a47194a3b22f

SHA256
676aed8190bfdf46ee811987f59c983cc15de72a2bb5e75c1b61604d0957487d

SHA512
0a14e0c7c83da28fc0195d36398a7e55074f2e1966aed652d6ac7d7324d1d394888f023dc179e69fe526f58f01eecf02eae57b472e03eee5a520f417012bc9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-US6NL.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/64-11-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/64-5-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/64-14-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/3464-27-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-31-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-454-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-17-0x00007FFE29A90000-0x00007FFE29AA0000-memory.dmp

Filesize
64KB

Download
memory/3464-18-0x00007FFE29A90000-0x00007FFE29AA0000-memory.dmp

Filesize
64KB

Download
memory/3464-19-0x00007FFE29A90000-0x00007FFE29AA0000-memory.dmp

Filesize
64KB

Download
memory/3464-21-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-20-0x00007FFE29A90000-0x00007FFE29AA0000-memory.dmp

Filesize
64KB

Download
memory/3464-23-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-24-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-22-0x00007FFE29A90000-0x00007FFE29AA0000-memory.dmp

Filesize
64KB

Download
memory/3464-25-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-26-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-453-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-28-0x00007FFE27990000-0x00007FFE279A0000-memory.dmp

Filesize
64KB

Download
memory/3464-29-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-30-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-452-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-33-0x00007FFE27990000-0x00007FFE279A0000-memory.dmp

Filesize
64KB

Download
memory/3464-32-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-34-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-35-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-36-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-37-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-38-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-39-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-40-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-439-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-440-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-441-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3464-451-0x00007FFE69A10000-0x00007FFE69C05000-memory.dmp

Filesize
2.0MB

Download
memory/3992-10-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3992-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3992-16-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads