Analysis
-
max time kernel
47s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
Fathers Day 2024 Powerpoint.pptx
Resource
win10v2004-20240611-en
Errors
General
-
Target
Fathers Day 2024 Powerpoint.pptx
-
Size
1.7MB
-
MD5
250b3e42192751118610a43379b2a775
-
SHA1
97d2957d1dc4a591abc36c4cb160039be1a1d53c
-
SHA256
bb667b89d752f1e25b86d73460969392d0a2f264e0780008999e955cbb2e6de7
-
SHA512
fc8a8ca52c69d6ccdcfa9f72fc62ad954df9de4b0f14837d2ecc149daa1b82690df3de3049ea87fff4db4513dfd8ff83d3118431bd52d7f41c6ad4baddca6fbb
-
SSDEEP
49152:GSk4KNDZlR87z+D9yViJraJ8PfR25MQ6V3geZPrYecrkLDN65FnN:8NdE7N8raaKMrZPrYJQXN6DnN
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 4712 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 1304 msedge.exe 1304 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
POWERPNT.EXEpid process 4712 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
POWERPNT.EXELogonUI.exepid process 4712 POWERPNT.EXE 4712 POWERPNT.EXE 4712 POWERPNT.EXE 4712 POWERPNT.EXE 4712 POWERPNT.EXE 4712 POWERPNT.EXE 4712 POWERPNT.EXE 5484 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3872 wrote to memory of 3980 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3980 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 5012 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 1304 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 1304 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe PID 3872 wrote to memory of 3052 3872 msedge.exe msedge.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Fathers Day 2024 Powerpoint.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault54b0de94h89c3h401fh934dhf1d687dddc9a1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcf91946f8,0x7ffcf9194708,0x7ffcf91947182⤵PID:3980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8631589526570870553,11477995885240356666,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:5012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8631589526570870553,11477995885240356666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8631589526570870553,11477995885240356666,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:3052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5224
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3958855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
6KB
MD566be8bd8ae5c805e381b5ce881e7c97c
SHA1f9281f01b26bc0e35f0c5f512105c9e63169c7cd
SHA2566b7af330b3a3316e78fa2dc48f067e0de9249244fa3ce658ca929dabf0998827
SHA512c48756447b8ce7075db957fab05a873864888631bac6cb9692c30fb5718c295ccb190cbb970f68ee420cdd0838b58278d620bd136003756a64c8366edf2f9a8e
-
Filesize
8KB
MD51d9b441f10f7461c6f5890b71bffe708
SHA1d4c1991460f304c170cf9eea274a8100aa923e4f
SHA256a53ab13639068d44343ef9ace0f73bed52a570790c976b0a7d2b03278065b631
SHA512f7d588e2bef063853baaf77eb6e7b114606bd66a24df3cb13243acbdd374e123d1f4ec8248a8119a1b3c719718c4d3282e21b971c923e800f8611154ea13e3a9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e