a2d2a870dcf08025d14231bce28ceea696fa3c2889fd36e8809f847edceb86a8

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICACIONES DEMANDA JUDICIAL -JUZGADO 02 PROMISCUO. RAMA JUDICIAL/bikini.pptx
Size

70KB
MD5

24fec7f3f13b3a944e02878b284cdd2f
SHA1

7e5d135c16e8d7558e18b778224fc55c3ac35d26
SHA256

64ce8379e4d91d2ba599e7b643399c67f6d256c8513feb97dc24c404ef752ea7
SHA512

7594696fb51916ee30855cc513f028bc491c62d63a524f43a2de89d661ca7fab58ae2cff6208aa50f8a4b8998dc89e8c512109a43cf9aca629a8a79ab257b080
SSDEEP

1536:WghD5gv2J3lzVYA3TmtFZ5LyGXqV1hJEHaBNskwdd7Uh8:WgQvIyPtF72zvhak0dd7

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2252	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	POWERPNT.EXE
2252	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2108	2252	POWERPNT.EXE	31
PID 2252 wrote to memory of 2108	2252	POWERPNT.EXE	31
PID 2252 wrote to memory of 2108	2252	POWERPNT.EXE	31
PID 2252 wrote to memory of 2108	2252	POWERPNT.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\NOTIFICACIONES DEMANDA JUDICIAL -JUZGADO 02 PROMISCUO. RAMA JUDICIAL\bikini.pptx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-0-0x000000002D7F1000-0x000000002D7F2000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2252-2-0x000000007248D000-0x0000000072498000-memory.dmp

Filesize
44KB

Download
memory/2252-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2252-5-0x000000007248D000-0x0000000072498000-memory.dmp

Filesize
44KB

Download