Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
fa7701d082ff43c66e853a8cc0949bce6d2837f4190def5b75f631be0006f59a.ppam
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
fa7701d082ff43c66e853a8cc0949bce6d2837f4190def5b75f631be0006f59a.ppam
Resource
win10v2004-20240802-en
General
-
Target
fa7701d082ff43c66e853a8cc0949bce6d2837f4190def5b75f631be0006f59a.ppam
-
Size
27KB
-
MD5
e114626af1e6f60e4e0eab0da05d01e7
-
SHA1
b200f0ce036bb5cadce0d8d5d364413f3e7902a6
-
SHA256
fa7701d082ff43c66e853a8cc0949bce6d2837f4190def5b75f631be0006f59a
-
SHA512
b07441656c51355d07eca4f88b86c60b86d71397ea20c3550d4492dfcfc1949190b2bf85c7709d22c715752a54501146c57623078935e4a2bccde044a5e86a2e
-
SSDEEP
768:VPk/BU66pEhHEZzMDbO/bZlqf4CLDu0We:VkU66KhHEZzMDCDHq4w60We
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process 4616 2616 DW20.EXE 83 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dwwin.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dwwin.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid Process 2616 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
POWERPNT.EXEpid Process 2616 POWERPNT.EXE 2616 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
POWERPNT.EXEpid Process 2616 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
POWERPNT.EXEDW20.EXEdescription pid Process procid_target PID 2616 wrote to memory of 4616 2616 POWERPNT.EXE 87 PID 2616 wrote to memory of 4616 2616 POWERPNT.EXE 87 PID 4616 wrote to memory of 312 4616 DW20.EXE 88 PID 4616 wrote to memory of 312 4616 DW20.EXE 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\fa7701d082ff43c66e853a8cc0949bce6d2837f4190def5b75f631be0006f59a.ppam" /ou ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 27122⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 27123⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:312
-
-