Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 23:05
Static task
static1
Behavioral task
behavioral1
Sample
n_277947747244.one
Resource
win10v2004-20230220-en
General
-
Target
n_277947747244.one
-
Size
130KB
-
MD5
6bead65ca651b31de7fe3433bc398ad5
-
SHA1
202963a59f15235f03585cc103b267e93fa09343
-
SHA256
72511274f712bfd930c8431ae1e739f6d0940f59fd45dc2bbf148d5bc73dc983
-
SHA512
c291f00125ee1563148d3fdb23d3699e58eda868e59d5e475491899e8d5391235e5ce9cc912701e9e273ab72eabefc6b87edff007e4ad7d5c053a8528b95b214
-
SSDEEP
3072:PrfWMINYf3K19kzCnEEQvSMVnte8ZP1Y6J0cTgGO:d6nInM8TXJ5O
Malware Config
Extracted
emotet
Epoch5
103.85.95.4:8080
103.224.241.74:8080
178.238.225.252:8080
37.59.103.148:8080
78.47.204.80:443
138.197.14.67:8080
128.199.242.164:8080
54.37.228.122:443
37.44.244.177:8080
139.59.80.108:8080
218.38.121.17:443
82.98.180.154:7080
114.79.130.68:443
159.65.135.222:7080
174.138.33.49:7080
195.77.239.39:8080
193.194.92.175:443
198.199.70.22:8080
85.214.67.203:8080
93.84.115.205:7080
186.250.48.5:443
46.101.98.60:8080
160.16.143.191:8080
64.227.55.231:8080
175.126.176.79:8080
85.25.120.45:8080
178.62.112.199:8080
185.148.169.10:8080
128.199.217.206:443
103.41.204.169:8080
209.239.112.82:8080
202.28.34.99:8080
139.196.72.155:8080
87.106.97.83:7080
93.104.209.107:8080
104.244.79.94:443
115.178.55.22:80
83.229.80.93:8080
103.254.12.236:7080
62.171.178.147:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WScript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process 4068 1204 WScript.exe ONENOTE.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 47 4068 WScript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1260 regsvr32.exe 1472 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiTDw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\OuoARPMNlAejHitpH\\qiTDw.dll\"" regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3220 3444 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 47 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid process 1204 ONENOTE.EXE 1204 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
ONENOTE.EXEregsvr32.exeregsvr32.exepid process 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1260 regsvr32.exe 1260 regsvr32.exe 1472 regsvr32.exe 1472 regsvr32.exe 1472 regsvr32.exe 1472 regsvr32.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
ONENOTE.EXEpid process 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE 1204 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ONENOTE.EXEWScript.exeregsvr32.exedescription pid process target process PID 1204 wrote to memory of 4068 1204 ONENOTE.EXE WScript.exe PID 1204 wrote to memory of 4068 1204 ONENOTE.EXE WScript.exe PID 4068 wrote to memory of 1260 4068 WScript.exe regsvr32.exe PID 4068 wrote to memory of 1260 4068 WScript.exe regsvr32.exe PID 1260 wrote to memory of 1472 1260 regsvr32.exe regsvr32.exe PID 1260 wrote to memory of 1472 1260 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\n_277947747244.one"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsf"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\OuoARPMNlAejHitpH\qiTDw.dll"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 3444 -ip 34441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3444 -s 19801⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.binFilesize
61KB
MD545282862aeb428ffb5d4986704a8f4d5
SHA1fa2b0a82f3ca6bc7c00704556c9494b303613972
SHA256af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
SHA512db6457af502f45665ce4cc6573c5746607d8ffc661f0dcb224beceed93886f6c6194561cacc0efa543f0b2f62db976742f42c6c8102c5b11b65329757110b1db
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.binFilesize
48KB
MD5b7fc313714edd7866f4c76527282c2b5
SHA1c86217b46956933fae4a30483a63b33f34b8c503
SHA256b6d25f5eb52d5c24ef6c325bd25f18e413f3e23d20413a3693749275ba4b192c
SHA512038a73b7a69dd976c964f1538f5b4f7c6c64721e4f2f1a831815598faae84cac53305c03f5cea6e66acdc110a9a5117eee191345ea004b9576c752122f8d88f7
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.binFilesize
567B
MD5d055ce625528e448c61315eaaef5bb71
SHA1029df4c872b1c154f32e7fe94f434547c3ba6192
SHA25685bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705
SHA512705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsfFilesize
61KB
MD545282862aeb428ffb5d4986704a8f4d5
SHA1fa2b0a82f3ca6bc7c00704556c9494b303613972
SHA256af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
SHA512db6457af502f45665ce4cc6573c5746607d8ffc661f0dcb224beceed93886f6c6194561cacc0efa543f0b2f62db976742f42c6c8102c5b11b65329757110b1db
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsfFilesize
9B
MD507f5a0cffd9b2616ea44fb90ccc04480
SHA1641b12c5ffa1a31bc367390e34d441a9ce1958ee
SHA256a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896
SHA51209e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dllFilesize
300KB
MD527c6e6bc4b46148fb4dcc6a6a9346914
SHA1065d7e71a66ef077b07ea28d7e26b07ea5a26c86
SHA256aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
SHA5123b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dllFilesize
300KB
MD527c6e6bc4b46148fb4dcc6a6a9346914
SHA1065d7e71a66ef077b07ea28d7e26b07ea5a26c86
SHA256aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
SHA5123b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26
-
C:\Users\Admin\AppData\Local\Temp\{1221091C-0F43-44D2-9386-4DDAA981C59C}.binFilesize
9B
MD507f5a0cffd9b2616ea44fb90ccc04480
SHA1641b12c5ffa1a31bc367390e34d441a9ce1958ee
SHA256a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896
SHA51209e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531
-
C:\Windows\System32\OuoARPMNlAejHitpH\qiTDw.dllFilesize
300KB
MD527c6e6bc4b46148fb4dcc6a6a9346914
SHA1065d7e71a66ef077b07ea28d7e26b07ea5a26c86
SHA256aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
SHA5123b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26
-
memory/1204-139-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmpFilesize
64KB
-
memory/1204-138-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmpFilesize
64KB
-
memory/1204-137-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmpFilesize
64KB
-
memory/1204-136-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmpFilesize
64KB
-
memory/1204-135-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmpFilesize
64KB
-
memory/1204-133-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmpFilesize
64KB
-
memory/1204-134-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmpFilesize
64KB
-
memory/1260-191-0x0000000000B30000-0x0000000000B5C000-memory.dmpFilesize
176KB
-
memory/1260-194-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB