Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
516a68bcd0ba36727964cf175ab4bc3f2dad9a8cf6c923eb29d41ea5b8c621a4.ppam
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
516a68bcd0ba36727964cf175ab4bc3f2dad9a8cf6c923eb29d41ea5b8c621a4.ppam
Resource
win10v2004-20241007-en
General
-
Target
516a68bcd0ba36727964cf175ab4bc3f2dad9a8cf6c923eb29d41ea5b8c621a4.ppam
-
Size
15KB
-
MD5
2f5518eab74b27def099fa3fadb06b5d
-
SHA1
3676f4c0457e6bbf3f343a7222937995ba4c3518
-
SHA256
516a68bcd0ba36727964cf175ab4bc3f2dad9a8cf6c923eb29d41ea5b8c621a4
-
SHA512
07bbad84bc499dcb36210260ea3536b064cec1a08d92d90eae06f98f399d7710b248f48085a4017fd44f2ba7b4cee5f973e327719ba69d1af06afbc16d3b53b4
-
SSDEEP
384:dXPEeBSzKuCjIOIxvTNRX/GC+p/RU3Af7CRRWiwJM:VPEeByCje3RX/spZU3ADCfWip
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWERPNT.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ = "ExtraColors" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}\ = "TableStyle" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ = "Collection" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F1-5A91-11CF-8700-00AA0060263B}\ = "SetEffect" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493442-5A91-11CF-8700-00AA0060263B}\ = "_Application" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345A-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493480-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ = "TableBackground" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D00BE510-DF75-4629-979E-6D067BB522A5} POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346B-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A64-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348F-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\ = "TextStyles" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493471-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493480-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493499-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349B-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataLabels" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A70-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E7-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493470-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E0-5A91-11CF-8700-00AA0060263B}\ = "Timing" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493488-5A91-11CF-8700-00AA0060263B}\TypeLib POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D0-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B} POWERPNT.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D00BE510-DF75-4629-979E-6D067BB522A5}\2.0\HELPDIR POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" POWERPNT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2416 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2936 2416 POWERPNT.EXE 28 PID 2416 wrote to memory of 2936 2416 POWERPNT.EXE 28 PID 2416 wrote to memory of 2936 2416 POWERPNT.EXE 28 PID 2416 wrote to memory of 2936 2416 POWERPNT.EXE 28
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\516a68bcd0ba36727964cf175ab4bc3f2dad9a8cf6c923eb29d41ea5b8c621a4.ppam"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2936
-