341f97e83e1ccfe0a11dc3211ae5d1211268ac63c9b6c2c778b3b4ae60864e55

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15 Cable 4.0/Cable 4 instruction.pptx
Size

1.0MB
MD5

109001a4813234eb29db798a39bdb4ca
SHA1

a2aec8624d4aa1e887307115d465c3b0a259ac71
SHA256

2b5dcb8501c86513040c88a1358516663446b368e2497b1f2ee9a5e5f897f6c7
SHA512

3cccbd58cba0ca51dc162f5df8de83b960f0d2648a49ac61b97641f559c2c01fed5b77efb93d4e5eba459e2e960b006040ce48be57fabcd5b5bb3787a27d307a
SSDEEP

24576:81MJ8PB4TyTc2Y5HnJ+peG9/KdLEnJZxdtYzHH/dip364r3L09UVCirRT9c22223:81MJ8JV1AHozdKZgjdiM6a7aI7c22223

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2508 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXE

pid process

2508 POWERPNT.EXE
2508 POWERPNT.EXE
2508 POWERPNT.EXE
2508 POWERPNT.EXE

pid	process
2508	POWERPNT.EXE

pid	process
2508	POWERPNT.EXE
2508	POWERPNT.EXE
2508	POWERPNT.EXE
2508	POWERPNT.EXE

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\15 Cable 4.0\Cable 4 instruction.pptx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-0-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-2-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-3-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-1-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-4-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-5-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-6-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-8-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-9-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-7-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-10-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-11-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

Filesize
64KB

Download
memory/2508-12-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-13-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-15-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-14-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

Filesize
64KB

Download
memory/2508-16-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-17-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-18-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-19-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-20-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-21-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-22-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-23-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-48-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-49-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-50-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-51-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

Filesize
64KB

Download
memory/2508-52-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-53-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

Filesize
2.0MB

Download