File name:

Prezentacja_23112022.ppt

Full analysis: https://app.any.run/tasks/ef13b06e-32e0-410b-9361-36a05e080f4d
Verdict: Malicious activity
Analysis date: December 05, 2022, 17:12:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-powerpoint
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Revision Number: 14, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 42:41, Create Time/Date: Fri Nov 18 12:01:06 2022, Last Saved Time/Date: Fri Nov 18 13:23:38 2022, Number of Words: 0
MD5:

60B2904205A48A45943613BF5A3AE751

SHA1:

896C2BC681DA087968A0152E9143F9D78B66EFC2

SHA256:

BEC98A8A5E6786EF415A7A7BF7E60CBD384D43EDE4E882AA560FDCB24865AC55

SSDEEP:

6144:QXvjyhsvHGPmXKjLk2BRXAGP2a2JynVNH5Gt:AjyhaGzRXpPrSyr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 956)
      • rundll32.exe (PID: 3500)

    • Unusual connection from system programs

      • rundll32.exe (PID: 3500)

    • Executable content was dropped or overwritten

      • POWERPNT.EXE (PID: 2056)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • regsvr32.exe (PID: 956)
      • POWERPNT.EXE (PID: 2056)

    • Executable content was dropped or overwritten

      • regsvr32.exe (PID: 956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ppt | Microsoft PowerPoint document (79.7)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powerpnt.exe rundll32.exe no specs regsvr32.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Windows\System32\regsvr32.exe" /u /s "C:\Users\admin\AppData\Local\Temp\WPDNSE_Install\5zmAzo4HwwgQxNctXsbgBxum85WwPWSgj1RSepjIbx.dll"C:\Windows\System32\regsvr32.exe
RunDLL32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\regsvr32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2056"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Prezentacja_23112022.ppt"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2968RunDLL32.EXE shell32.dll,ShellExec_RunDLL C:\Users\admin\AppData\Local\Temp\F2eppntbTcCRQkorhBTK2gj7fl1EdtdN.lnkC:\Windows\system32\RunDLL32.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imagehlp.dll
3500"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dll",QueryPerformanceFrequencyC:\Windows\System32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
5 503
Read events
5 411
Write events
86
Delete events
6

Modification events

(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
Operation:writeName:c{0
Value:
637B300008080000010000000000000000000000
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
3
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRF801.tmp.cvr
MD5:
SHA256:
956regsvr32.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dllexecutable
MD5:
SHA256:
3500rundll32.exeC:\Users\admin\AppData\Local\Temp\tmp109A.tmpexecutable
MD5:
SHA256:
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\F2eppntbTcCRQkorhBTK2gj7fl1EdtdN.lnklnk
MD5:
SHA256:
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\WPDNSE_Install\5zmAzo4HwwgQxNctXsbgBxum85WwPWSgj1RSepjIbx.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
rundll32.exe
188.114.96.3:443
sellmyhousequickly.website
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
sellmyhousequickly.website
  • 188.114.96.3
  • 188.114.97.3
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Prezentacja_23112022.ppt