9539d9ebc8466ea530065a098da8c32de4f34e2f16fd5d81faf284e706107cff

Analysis

max time kernel
147s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2023, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2623024aba1ee994dcb82e937a8beb59abbebf51b6aa4cde8434bb56458b47da.one
Size

123KB
MD5

1691d647ecc17d6b41c49a1303a0832c
SHA1

979670e264f7585a31362cf6e79d4187f18c95b1
SHA256

2623024aba1ee994dcb82e937a8beb59abbebf51b6aa4cde8434bb56458b47da
SHA512

d26ce32e57927f5e7c790d0cecb5149bf6c8dd2f0a7553edced9ca2e6224276296d5b932b3f400b5feac15f12b4c40405f6ed208c5676f6369bcaacf33e03d11
SSDEEP

1536:Dpjjjjjjjjjjjjjjjjjjjjjjjjjjjjjx15EjjjjjjCbjgmHjRqnUK1Gpljjjjjjm:DrZfHvnOvxy8XQD+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
644	ONENOTE.EXE
644	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	ONENOTE.EXE
644	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE
644	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\2623024aba1ee994dcb82e937a8beb59abbebf51b6aa4cde8434bb56458b47da.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
662B

MD5
81fd12c4ba87adca9e5e6622bb4db599

SHA1
38dded7746ce406ca3b64426b7a3d07df73e2181

SHA256
56c591684163edf300e404a3cb32cb40852b13504b9a8d65e1a80e8bdf286925

SHA512
7f6cdee191c351a258d8a100777a358ebb0640f1b8ad620353e8d44b3ccab50766bec24823060c083bec2dded86da02e75d23a69fb938c9af1514dea55bd999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{18ACCA38-65A3-4F3A-B4DA-C0BCDB74E374}

Filesize
50KB

MD5
f127c89687de91b2b242e3a5a73c39d4

SHA1
3e6a2f15b17c26bea011fbd2929eefceee0ebaa9

SHA256
ccc85cc1ca05665e6777330c5188031d212166e8e2199924a7ce6b3952ece1bf

SHA512
5534e00cf45b2f073b97f41ca6861729426457cb6b4ecfa23dd7728169fb1d48b00b2f0c9be2c9f4491114844e1760f4affadd1c21f7aeb5eeb3e763d8c40520

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A6B12EA3-D775-40A2-AAEE-CA5173BF8C1A}

Filesize
381B

MD5
f6fc09e4cfb121172bc5428849ca110a

SHA1
3b359108d0026e86be3823ad364fcc286edd02f4

SHA256
ba9279b9e8217cdd2e03574c49ece4951cccef0a8f42d772fb5396998f54eaee

SHA512
ddb404faa2421a40051706381d658573b28c1f8b4660baa9e733ce729b267429cb9a90d8b532322ae4e806a58a95eec73bab0322f5e357d2165ce1e4db989885

Download Submit
memory/644-133-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/644-134-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/644-135-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/644-136-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/644-137-0x00007FF84F990000-0x00007FF84F9A0000-memory.dmp

Filesize
64KB

Download
memory/644-138-0x00007FF84D5C0000-0x00007FF84D5D0000-memory.dmp

Filesize
64KB

Download
memory/644-139-0x00007FF84D5C0000-0x00007FF84D5D0000-memory.dmp

Filesize
64KB

Download