b2f036d7fe74586b0194ea6b4c83fd98b728626a4f7995fd4e5069ba6c1b35a5

General

Target

4. Exploited; setting boundaries and getting help Y10 (1).pptx
Size

169.7MB
MD5

62911683f5d3dd161fbd98cbb9fad4a5
SHA1

9f3b276dbe4de06e50f67785679b6ae6fc854069
SHA256

b2f036d7fe74586b0194ea6b4c83fd98b728626a4f7995fd4e5069ba6c1b35a5
SHA512

c29e6053693bfe4dd9fc6bf01af5f8c4294a69b8a4f133d0188f3e5a338b22034a7c741e9af937c7be540b77ce1f7cfd7962d39e6d9cb52892016506578e09a7
SSDEEP

3145728:qzHImWDjD48RhBLjYetbJZAHXlQBE5Jgam38vROyoMW0otTs79W69S71p29i:c5ejDfRhBfY+bPAHXlQGvg3xdMW0oxsy

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2688	POWERPNT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	POWERPNT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2792	2688	POWERPNT.EXE	32
PID 2688 wrote to memory of 2792	2688	POWERPNT.EXE	32
PID 2688 wrote to memory of 2792	2688	POWERPNT.EXE	32
PID 2688 wrote to memory of 2792	2688	POWERPNT.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\4. Exploited; setting boundaries and getting help Y10 (1).pptx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e79758,0x7fef6e79768,0x7fef6e79778
1⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:2
1⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:8
1⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:8
1⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:1
1⤵
PID:1264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:1
1⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1280 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:2
1⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:1
1⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1248,i,15225956153155541679,17025371802741915427,131072 /prefetch:8
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
8f52827eb98104d0df5da6274a677b2b

SHA1
4ca88db1ad10966b185eba0a732dea5bf89a71c6

SHA256
de46e7a71da565a8d4fdb3d0ec734dbefcf2fe6e1b2248b1510404f4781d0db8

SHA512
e078b2dbd0a5d93990ea6bb82346ef19b2c2b949fb30868c67f205df5a70463518862f018db326df23c2ee78176e8dfe4abe01551176cc6b28a5754861c9c612

Download Submit
memory/2688-0-0x000000002DE61000-0x000000002DE62000-memory.dmp

Filesize
4KB

Download
memory/2688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-2-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download
memory/2688-4-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing