8010ce321b23f41a48e4220682fdb9a57434a7fb6fb8787e966f22a8dbaf5886

Resubmissions

07/06/2024, 14:10

240607-rgzxyshd61 3

19/12/2023, 18:37

19/12/2023, 18:20

14/02/2023, 17:28

13/02/2023, 17:49

13/02/2023, 17:46

13/02/2023, 17:45

Analysis

max time kernel
32s
max time network
35s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13/02/2023, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sleepdonothing.exe
Size

893KB
MD5

85298a6d4334462888c236a255c0daf5
SHA1

47ae59c12774f9f7d9cfb5cf34ddcfd16a3ce2aa
SHA256

8010ce321b23f41a48e4220682fdb9a57434a7fb6fb8787e966f22a8dbaf5886
SHA512

cbf671299bc05477edb25a35bfaf1a9186fa1a3da8828ee7fedf81b8b3ae6f34eb2f6a32880aa9de1acd803b427c8e9b6416ccf146caaa0333526c4378cd8743
SSDEEP

12288:+MYrNtUMKszO5+pTe5NV0T+SLaRxkTYsgUhEIkTW:+ZzUq0+pTuEgUhEM

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk	ONENOTE.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ONENOTE.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	ONENOTE.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\ = "Microsoft OneNote 12.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\2"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\ = "Microsoft OneNote 14.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\3"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
980	ONENOTE.EXE
980	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1524	ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege	1524	ONENOTEM.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1524	ONENOTEM.EXE
1524	ONENOTEM.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1524	ONENOTEM.EXE
1524	ONENOTEM.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
980	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE
1436	ONENOTE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1524	980	ONENOTE.EXE	30
PID 980 wrote to memory of 1524	980	ONENOTE.EXE	30
PID 980 wrote to memory of 1524	980	ONENOTE.EXE	30
PID 980 wrote to memory of 1524	980	ONENOTE.EXE	30

C:\Users\Admin\AppData\Local\Temp\sleepdonothing.exe
"C:\Users\Admin\AppData\Local\Temp\sleepdonothing.exe"
1⤵
PID:532

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE"
1⤵
- Drops startup file
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980
- C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
  /tsr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1524

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7717d1f68a275f727647842581f83d0f

SHA1
0244a4268e8d9828d0afe949f17055dc8f8f13ea

SHA256
d2751866261312ceaf73d965b230b4c7952ff369f7176a954b3b3f5f9a83740b

SHA512
97f8463d94e8747414178019633e6b25077b1911514ae3579b79a324afc301cebeacde6d8cd3df86f5bb153d59cd130bcda17ddb0c888dba6a60d615db168b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5acd40969f4f18a8ac2d5dcea16a953d

SHA1
6f845441e49a1b1eee6f306fac5c604b91ca618e

SHA256
03eaca45c1a93a9eabaf3a35739302fcbf6076e42aa588ba2220e23c931d2fe5

SHA512
d0825deebd2474d8077cbcb4cf233772b0ced8c89f1a02a8676c3ae08177158d67737ab31b413c41ce9f3eff19eada75b786002bc5d23a3b0fd4154ea2a88584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache.onecache

Filesize
20.0MB

MD5
4238a2cee9a4c16700316fbeb8bf9ec4

SHA1
2e572d5a6a31bb7fcfd980ea0402b08a74b3f73a

SHA256
70cdbbc630a33f6989b7fe9da22c61c73255474e0569ec33a698ce652cfbf2c8

SHA512
aff5cb879d596ad4fe8ec93eba23511e8dfef6d7942fd5aea941eda7822a35bd5a2696ef59d999e958f5cb89cca60f111e812506882cd24c82622f8a7bf3144c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\03809a07-348b-48cc-b08d-f7b8472c133c.png

Filesize
5KB

MD5
64abf26631e44fc132402dac390ee4bc

SHA1
4bdd6ab584488cfbfcfa07a46e9f9e2975e390cf

SHA256
6c44be83448651ec7e0fd053be9832f33c2849011fbf59ce7cea6718651c68a2

SHA512
f6bbe0bc85b027d56d69f13f536cd57c397e0163ecd265890c9382ee74aeb6f118fc256ad232ce9f8e19227adfcd13f53451f770d652d8dcc5d1a7b8d687c1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\1e81fb27-0aa3-4b11-a764-0d9e7e3272ea.png

Filesize
10KB

MD5
d673f8d09e4d1f642262770a3c8cc9ce

SHA1
90aa1668423298a6c1b0d582d7dc783ad20a42d7

SHA256
926735f7f083511fa2e535b13eea70997ef00f814b231e611c54e5c1e3c9d0d7

SHA512
a044aec4cd11d269848c738e7ace01e1fa93e9547a8667685699fabd142d8c5f7fbe978f5597dbcc82735203ea7458fc9c788f4fed05b53463101d140700fb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\62e3dfa2-4350-445b-8693-d1d04a74543c.png

Filesize
37KB

MD5
c5c4a733b642fa42d9f94c8d47306ab8

SHA1
9ae2873256eb2d8b516039c94c0db2ca438935fa

SHA256
a4c554387c99e9011b5b62a117ce0e6998ca41386065cbe7961be3c027bbbf6c

SHA512
89bb814affacf7479ad155df646d3e6dc17ea34f14621842b4bd8a9be35ab42a962ebae41f407954df2e3b971a35cafa8e24dfed46e6acca4992d5f7e4f10b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\7dceec06-0991-43f4-8af3-601c0ebeb910.png

Filesize
163KB

MD5
07570999070082eb2c331fd142e52c38

SHA1
dc6d4c3ce8891dfa0db3091d10ea4042053f44e7

SHA256
8f83217424c1d50df4b5e5aea78ac01be6c5ad3e30d8f35ef74658a2c7529960

SHA512
7caa540b0e9c519e36bdaf3a84d8aad61f9c9134aa4d8af05d23dfaef60c5185e664e62fe78366e650a0d5c52b86be8760a18ecfd04545ceaaa2872b4c630f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\a507cd65-0038-49e4-8cdb-b6082f566351.png

Filesize
10KB

MD5
6366cb8aac9ca1668c70e9de4bc79388

SHA1
78b1ebd6669c67f4279e8d2baea229eb2fc71178

SHA256
21e68aaa77e4c5877b0ee5169347fe546cacde09bf8f432ecd72d1a69663bd3a

SHA512
cdf9a5f93e7c000eab511ab7bf6f6a6ba45e22ac34ecc2f24ea9cc591edc5c3a00b2ac121cf5664979577557bba55109e03f4005b0b0cdc475d3a75b3a3fef54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\b2a67a4a-c116-4c88-9fd1-c5b9a23d7929.png

Filesize
68KB

MD5
fabf6770b25c633a748ed6f3342f06e0

SHA1
a22a7059247b42cb63ec30720e1cf845e998ea02

SHA256
bd5d1f97a3f38c3a7ca63106d48d5a26aaf18aa4fb9ebf7439a0d8af0fbfed75

SHA512
e18f27b0c360ad7f82616341cdc4194aacd140a94061b11b5c9145f2bf2cabfafa3b0072a08fa1f32296b1a0e2221a4933c8bf2f59668221e70b786a64083eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\bb4e150b-7e2a-4556-81dd-590d7ab07dda.png

Filesize
9KB

MD5
dce030379821650125df797b9b3d4f29

SHA1
84dd28941e9d06d7de009d039a838394945be43f

SHA256
accfedb156a89607216ac18dd30aafb953b375b42c03b5e3e690d62d8e96a8ed

SHA512
abacc91ef043e3de767662923027af9cc496d4d801f34f4a5adcea01474709ea437d1019f9552a5287a13b571569f0cf2ed8c20ca53ef574a80a9b3e0ced1183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\e29a7eaf-32ad-400c-9927-05c358358ffc.png

Filesize
45KB

MD5
168af03dd94b6421cae3c621ce2de984

SHA1
6dd0c8e6ee2d6e6778219715bf1c90dafeedf25c

SHA256
9839be2d8c2ca55d4d7798e531ef9fab6dbdad6fd3892f36c7b09b3e46f99799

SHA512
c58f7625342ca1e6dcfa9cb41529d1464e39a44515e87292c2a9c9ca3dfd0176b74ef62ad952a1a121715e23349baaae1d2b1ed8e2448fd61142e77c5127183f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\e51cf594-e321-4d1c-88e7-df9cde80904c.png

Filesize
11KB

MD5
4628e2021534f066014ea107a7f3246f

SHA1
55aa9cb9fd939c4d9c36e4cafbea10dc79c0dd6c

SHA256
49090a3e4f6a8e39b0b09f6f5534e2ac1908f426253d92f6091dd5bceb692b05

SHA512
7860a8786784ed5d0da1919cf1b2aceb59d9516fae1fe16010f5458f8b526e9643c1080ce26472a368b5ac41af7dba3c80f4ab7bfb26bb4b4c21448f96185638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat

Filesize
23KB

MD5
ad63a2066a16607da8f64637980823e4

SHA1
55887f1ce6a920bd2bac98834c86bb5b5c5b307c

SHA256
b5d54bf899f7f83859f5fa28d095192e046d3f0a0fe540b75889613b6e8b8d0e

SHA512
ecb6d74dd2c36cfc43709782cbc8d6f8a8026aa1af4ce94482714f6454ae80ae420426cbbbcd04886f6cff515d87d4eb2d36bd076dfed1e5b832fcadc6e63cc7

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2

Filesize
6KB

MD5
39bba31028f52cb46b5e3e28ddc0f9a1

SHA1
23c0f283a3a95d6a63a7ead29625b9614af6dbf5

SHA256
638dda0646560f61951704a0d6b512c4191a1763eb9d388475318b07d7be346f

SHA512
4c3de372e18356e71ffc6d81f5ce29fe4a1cc11a3481320b190f07f225f450a3cc1e6001fa5521391deb8a5ba64faf8d3140c02412912e80fd7029c784ca103d

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one

Filesize
3KB

MD5
253851fd32d75c1d14ff130885dd44e9

SHA1
d63c39f1aa7851abe3993882491d3dfff03f79ad

SHA256
97847c5da506c803703c753f4d8f1bf664bc2b411871fb69b8d2aa59dd225c6e

SHA512
eb7e0290a5b1f279cade23cb7ef75e5eaabeba95f71cf888a8ff1b703d90106a34426a17c4989fc8f36c5490796f5f66b7b35b5357340ac307677c781a020162

Download Submit
memory/980-54-0x00000000728A1000-0x00000000728A3000-memory.dmp

Filesize
8KB

Download
memory/980-59-0x000000007388D000-0x0000000073898000-memory.dmp

Filesize
44KB

Download
memory/980-56-0x000000007388D000-0x0000000073898000-memory.dmp

Filesize
44KB

Download
memory/980-55-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1436-60-0x00000000716C1000-0x00000000716C3000-memory.dmp

Filesize
8KB

Download
memory/1436-73-0x00000000726AD000-0x00000000726B8000-memory.dmp

Filesize
44KB

Download
memory/1436-80-0x00000000726AD000-0x00000000726B8000-memory.dmp

Filesize
44KB

Download