File name:

Prezentacja_23112022.ppt

Full analysis: https://app.any.run/tasks/ef13b06e-32e0-410b-9361-36a05e080f4d
Verdict: Malicious activity
Analysis date: December 05, 2022, 17:12:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-powerpoint
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Revision Number: 14, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 42:41, Create Time/Date: Fri Nov 18 12:01:06 2022, Last Saved Time/Date: Fri Nov 18 13:23:38 2022, Number of Words: 0
MD5:

60B2904205A48A45943613BF5A3AE751

SHA1:

896C2BC681DA087968A0152E9143F9D78B66EFC2

SHA256:

BEC98A8A5E6786EF415A7A7BF7E60CBD384D43EDE4E882AA560FDCB24865AC55

SSDEEP:

6144:QXvjyhsvHGPmXKjLk2BRXAGP2a2JynVNH5Gt:AjyhaGzRXpPrSyr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3500)
      • regsvr32.exe (PID: 956)
    • Executable content was dropped or overwritten

      • POWERPNT.EXE (PID: 2056)
    • Unusual connection from system programs

      • rundll32.exe (PID: 3500)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Drops the executable file immediately after the start

      • POWERPNT.EXE (PID: 2056)
      • regsvr32.exe (PID: 956)
    • Executable content was dropped or overwritten

      • regsvr32.exe (PID: 956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ppt | Microsoft PowerPoint document (79.7)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powerpnt.exe rundll32.exe no specs regsvr32.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2056"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Prezentacja_23112022.ppt"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2968RunDLL32.EXE shell32.dll,ShellExec_RunDLL C:\Users\admin\AppData\Local\Temp\F2eppntbTcCRQkorhBTK2gj7fl1EdtdN.lnkC:\Windows\system32\RunDLL32.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imagehlp.dll
956"C:\Windows\System32\regsvr32.exe" /u /s "C:\Users\admin\AppData\Local\Temp\WPDNSE_Install\5zmAzo4HwwgQxNctXsbgBxum85WwPWSgj1RSepjIbx.dll"C:\Windows\System32\regsvr32.exe
RunDLL32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\regsvr32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3500"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dll",QueryPerformanceFrequencyC:\Windows\System32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
5 503
Read events
5 411
Write events
86
Delete events
6

Modification events

(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
Operation:writeName:c{0
Value:
637B300008080000010000000000000000000000
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2056) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
3
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRF801.tmp.cvr
MD5:
SHA256:
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\WPDNSE_Install\5zmAzo4HwwgQxNctXsbgBxum85WwPWSgj1RSepjIbx.dllexecutable
MD5:CAB69A95A2AB40D6132DEF3C7D87DE54
SHA256:151BFC60A2EAA02B96DCE39F29FD2CC40343400A198F9636981CA325A402115B
956regsvr32.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-profile-l1-1-0.dllexecutable
MD5:CAB69A95A2AB40D6132DEF3C7D87DE54
SHA256:151BFC60A2EAA02B96DCE39F29FD2CC40343400A198F9636981CA325A402115B
2056POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\F2eppntbTcCRQkorhBTK2gj7fl1EdtdN.lnklnk
MD5:BE4387B072E176DB78009217C211AEFB
SHA256:DAFBF3429AC685C2151293A1A58901D2024D194E79CDB9598FAA7901716AFA74
3500rundll32.exeC:\Users\admin\AppData\Local\Temp\tmp109A.tmpexecutable
MD5:CAB69A95A2AB40D6132DEF3C7D87DE54
SHA256:151BFC60A2EAA02B96DCE39F29FD2CC40343400A198F9636981CA325A402115B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
rundll32.exe
188.114.96.3:443
sellmyhousequickly.website
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
sellmyhousequickly.website
  • 188.114.96.3
  • 188.114.97.3
malicious

Threats

No threats detected
No debug info