analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Driftsrapport KL - september 2021.pptx

Full analysis: https://app.any.run/tasks/01471bc3-b04c-4bc6-afe4-bf81449676a4
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:37:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2022-30190
MIME: application/vnd.openxmlformats-officedocument.presentationml.presentation
File info: Microsoft PowerPoint 2007+
MD5:

B720DC5AF8BC6D4F82C6FCA44854DADA

SHA1:

4B82A881BCBE4B406CF00E48570747AA7B48222A

SHA256:

BAE884D479B35C3D4B4E8B6CBF7CF5A08A8339C29EDFAD66B8FFEE9B9407BAE6

SSDEEP:

196608:Z1YM7o/LxmXyCz+rh/jujwGn4FHpfXp9yOcAuwSyQ7eO3mam:Z1YcGxRCUZGMBX7wpVPm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • CVE-2022-30190 detected

      • POWERPNT.EXE (PID: 3132)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Checks supported languages

      • POWERPNT.EXE (PID: 3132)
    • Reads the computer name

      • POWERPNT.EXE (PID: 3132)
    • Checks Windows Trust Settings

      • POWERPNT.EXE (PID: 3132)
    • Reads settings of System Certificates

      • POWERPNT.EXE (PID: 3132)
    • Reads Microsoft Office registry keys

      • POWERPNT.EXE (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pptx | PowerPoint Microsoft Office Open XML Format document (87)
.zip | Open Packaging Conventions container (10.5)
.zip | ZIP compressed archive (2.4)

EXIF

XML

PBCListName: Mellombalanse 300921
ContentTypeId: 0x010100CB7F4755ACEDBD4DBFFE8B13F8E00C64
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
TitlesOfParts:
  • Arial
  • Calibri
  • SpareBank 1
  • SpareBank 1 Light
  • SpareBank 1 Medium
  • SpareBank 1 Title
  • SpareBank 1 Title Light
  • Office-tema
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Styregrunnlag!R83C1:R112C6
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Styregrunnlag!R50C1:R79C6
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Resultat%20måned%20Sørøst!R4C2:R33C15
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Nettorente%20Sørøst!%5bInternrapport.xlsx%5dNettorente%20Sørøst%20Diagram%201
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Styregrunnlag!R15C1:R40C4
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Balanse%20Sørøst!R2C1:R29C15
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Utlån%20Sørøst!R1C1:R22C8
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Innskudd%20Sørøst!R1C1:R22C8
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!EM1!R1C1:R23C9
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!Z!R1C1:R23C9
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!NM1!R3C1:R25C9
  • https://sb1bv.sharepoint.com/sites/konomi/Shared%20Documents/Intern%20driftsrapportering/Driftsrapportering/Driftsrapportering%202021/Internrapport.xlsx!RH1!R1C2:R22C10
  • think-cell Slide
  • Driftsrapport KL September 2021
  • HOVEDTREKK PER SEPTEMBER 2021 (MORBANK)
  • Resultatoversikt -> Denne periode
  • Resultatoversikt -> Hittil i år(Proforma)
  • Resultatoversikt -> Måned for måned
  • Nettorente
  • Balanse
  • Balanse -> Måned for måned
  • Utlånsvekst
  • Innskuddsvekst
  • Datterselskaper
  • Eiendomsmegler 1 BV
  • EiendomsMegler 1 Telemark
  • Z Eiendom
  • Eiendomsmegler 1 Næringsmegling
  • Sparebank 1 Regnskapshuset Sørøst-Norge -> ink. oppkjøp Kongsberg
HeadingPairs:
  • Brukte skrifter
  • 7
  • Tema
  • 1
  • Koblinger
  • 12
  • Innebygde OLE-servere
  • 1
  • Lysbildetitler
  • 16
ScaleCrop: No
MMClips: -
HiddenSlides: 1
Notes: -
Slides: 16
Paragraphs: 44
PresentationFormat: Widescreen
Application: Microsoft Office PowerPoint
Words: 280
TotalEditTime: 2.8 hours
Template: SB1 Mal.OLD
ModifyDate: 2021:10:21 15:17:19Z
CreateDate: 2021:08:04 07:27:40Z
RevisionNumber: 2
LastModifiedBy: Ørjan Larsen

XMP

Creator: Ola Kjetil Siqveland
Title: Driftsrapport september 2021

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 14441
ZipCompressedSize: 927
ZipCRC: 0x1c69c232
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powerpnt.exe

Process information

PID
CMD
Path
Indicators
Parent process
3132"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Driftsrapport KL - september 2021.pptx"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Total events
5 768
Read events
5 689
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
0
Unknown types
14

Dropped files

PID
Process
Filename
Type
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRE71B.tmp.cvr
MD5:
SHA256:
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52F7CCDC.emfemf
MD5:AD4D9A3B739F43E644966321DE8FC61E
SHA256:1EDBA89A4483938D1141E8211E0B841F81D408710A8BD8EEEDF2C01736511D83
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\593B2.emfemf
MD5:B3DC9D22CA5655D8C00968EACC00E0CC
SHA256:7442B15CEAA282ACBE8DA9A03E86E0546026C2F14F7A3C49FA9DE9B2753CE8E2
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E17AD51.emfemf
MD5:78BC6AAD14308A805DDADB42FE40CAEB
SHA256:479064EB63A893A9B0F98ABF33D89EB3165338F6C1DA305808A1B420F2C5A6E1
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\{6DC75594-E187-4289-A8E6-4B8C579C5708}binary
MD5:2ABDD6C34B236976D029AE1CE182F1E2
SHA256:DD5D1621EA1401E1519BA5BB14B332154835247A79CEC3A6DCB6B1AD97D61BA1
3132POWERPNT.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:146D41CD6125622138EBAC996AA72EDD
SHA256:E0D600F9C6B9745C7208513B5679676ADD60855CE4EC03B3A65E57E27F08448E
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E32B131E.emfemf
MD5:0C03D4DCAFB8D1B6D2FB33202538AA36
SHA256:E960206BED4DC07FF8715E073DF7CBDB7A43CCEDA8BBA84256335DE0FBE91B40
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5836C0B.emfemf
MD5:6DC8280B866A8D52A9FD70F775BC5F03
SHA256:0DC50AEF17D57248E68AF483388004274AEFDC70552CB93F7B5C4508448340FD
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\676EB34A.emfemf
MD5:E475756C48EEA82084361A2DAC543CDF
SHA256:45539093B6C96269EEA5B4E6024B786A36B7F40683253C03FF293342C869B431
3132POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51CBDE90.emfemf
MD5:F4C990188BE106AC123D9F6C2F46FE5C
SHA256:60E0E65A42D0E10D6289E7A9EB2DAB3B8AEE9164BFA28AF7DE98BB6FDA6C6CFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3132
POWERPNT.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3132
POWERPNT.EXE
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1cc94ab2054b3f32
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
POWERPNT.EXE
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3132
POWERPNT.EXE
13.107.136.9:443
sb1bv.sharepoint.com
Microsoft Corporation
US
whitelisted
3132
POWERPNT.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
sb1bv.sharepoint.com
  • 13.107.136.9
  • 13.107.138.9
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info