ab928ee66de723f9548408d8d190a2f356f5295e7efcc9382944a28bb33969b3

Analysis

max time kernel
134s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 15:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INV_March_09_SCAN#294.one
Size

332KB
MD5

f90a0f12bc9d8438a5ecb38d104adfcb
SHA1

3333f3210405b65d0faa2576f33b7b9e48371c39
SHA256

ab928ee66de723f9548408d8d190a2f356f5295e7efcc9382944a28bb33969b3
SHA512

0a37f9a84ba5eb0d8a772e59a3899a391d5d2c0b03b07edc89b6dc4a39419de1e98bc61233a141566f2e815b6316335808a0bd3969e5467d56f8e59ec4b65bfa
SSDEEP

6144:lgDuOpt06l9Ta1l4/p3HaNOyN1wCbJOavP6:lgDuOIG9Tcwp3HQHw

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2084	ONENOTE.EXE
2084	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	ONENOTE.EXE
2084	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE
2084	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\INV_March_09_SCAN#294.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
3KB

MD5
66c147f022344bcd3ebec641241215a9

SHA1
8b975511d5f05a84644fae6af32412d70cc4bb4a

SHA256
5847de96a7ad7b3de1d1f469bafb4c38c6c0d8c00ad9fd86419fa4a191371f96

SHA512
17bd5cbe81b51c9edf85a42c9f409e22e60a0434ef221d3abd52ef6fe70dfd92e358cf01b12d603e6fb1ceefc843274dcc6924b24b0449be88567b8003303d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
4KB

MD5
080b4c4626b0bc6c76fe22564d6f48cd

SHA1
d744708033a2229aada82f16ea71cefe29156ee6

SHA256
bdc278317ce0f97fd1bc9cab1cb6aafd332a3da79246029be7a1ff99673e2ce0

SHA512
ad07c42993ff074d3cfb7722878de857f7048982bfc5c4ec9fb92eec7177e0737121a5acbadf1b262fc08203ca2d6257338ea85119ae1a5831a2151dee0f1ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
94KB

MD5
f079bb8cc53d0c3bf88e981f440f6872

SHA1
99f9133be5a381a9050928ab9beb530f357dba55

SHA256
a1c181929ee74e09388aabf3401883999c247fa3c0d2a36da32f11c6dd4d28e8

SHA512
71969deaf7fafc26f30ff154f122751ff972fce512dcfcc6327b0eb917c3ba375c1e7de30f75576806313eb0dfe5272a53b2d09fb6691a1968d7aa92e870f6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
457B

MD5
24aeba93c7787a9a58a97bb0407f93fe

SHA1
c5f8f3a7a5d73d24df21099fad7f7bf75a7c493b

SHA256
0c73d62769ac376311a5d72e047c5fe8cc85c3d4a5830a4fe90c60eced8e6424

SHA512
abefbf15361a7610daa99d2c615b597ca8dff99edfbbc47dbb71bccd6d9de1eb60e21d593bfe0a181ec2028740bf51a092da58aa7e17467a9dbc88fac94410a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BQ.bin

Filesize
259B

MD5
66dc66d5bada64c9345c12a1439d3589

SHA1
586fb5c6a51fd5641f237726e55922fd21f507e0

SHA256
d7fca88355fdf46fa6a05fac61d48cead760db527bb6b9f88f072d322a98cf1d

SHA512
e205133e8217d8b944c548ec12fe6de1c234d327c5e1118c2341bb8185f2faea7589fc5d114ceea0f1cc8bc8d821d2fe341da84647abcaed85098150fb967e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{531A8E4F-B754-4BC9-BBD8-9C0D732457B8}

Filesize
219KB

MD5
6d9199c24149fc30e5ad08338030be5f

SHA1
48bf3f8e4e0849a39c3ed2d8bbcf12fb3d2ee113

SHA256
83dd4a20b33e0b5027c462adf763eea66f89f2b96a5a6fadd802e22a236aca1d

SHA512
31a27b5a52c42cd9fcecd11b03375297ab4f7a625bb28e48dcbaf74f846352fa7139e34cd08b5d0d58cc9093e384913e311380b2b78f6045e8cbd81ac26b57d5

Download Submit
memory/2084-136-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2084-139-0x00007FFCD79B0000-0x00007FFCD79C0000-memory.dmp

Filesize
64KB

Download
memory/2084-138-0x00007FFCD79B0000-0x00007FFCD79C0000-memory.dmp

Filesize
64KB

Download
memory/2084-137-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2084-133-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2084-135-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download
memory/2084-134-0x00007FFCD9FF0000-0x00007FFCDA000000-memory.dmp

Filesize
64KB

Download