88b0df77fd1b775c3e069c2b22fd3e3c61f31e0c0792a939f89ff72b9d2b3f85

Resubmissions

19-03-2023 10:48

230319-mwcnraga54 10

19-03-2023 10:03

230319-l3pffsfh76 4

Analysis

max time kernel
146s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab79bee-2569-4172-a936-9bbdff78a6d0.one
Size

130KB
MD5

46834650761c4b600e7f03160f3409b6
SHA1

2732fa105dc7e6b8edd2ec6fef01fb2905ef4dfa
SHA256

88b0df77fd1b775c3e069c2b22fd3e3c61f31e0c0792a939f89ff72b9d2b3f85
SHA512

0eeeb34796fcae5a0954fefa0fc432e05808612718eccb546fe22429f5846da0f5fc6dedb5170347528d389594c25e16dd1394c75a99cd1227a6982b2e33bfbf
SSDEEP

3072:PrfWMINYf3K19kzCnEEQvSMVnte8ZP1Y6J0cTgGn:d6nInM8TXJ5n

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

3736 ONENOTE.EXE
3736 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ONENOTE.EXE

pid process

3736 ONENOTE.EXE
3736 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	process
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE
3736	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\2ab79bee-2569-4172-a936-9bbdff78a6d0.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin
Filesize
61KB

MD5
45282862aeb428ffb5d4986704a8f4d5

SHA1
fa2b0a82f3ca6bc7c00704556c9494b303613972

SHA256
af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e

SHA512
db6457af502f45665ce4cc6573c5746607d8ffc661f0dcb224beceed93886f6c6194561cacc0efa543f0b2f62db976742f42c6c8102c5b11b65329757110b1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
Filesize
48KB

MD5
b7fc313714edd7866f4c76527282c2b5

SHA1
c86217b46956933fae4a30483a63b33f34b8c503

SHA256
b6d25f5eb52d5c24ef6c325bd25f18e413f3e23d20413a3693749275ba4b192c

SHA512
038a73b7a69dd976c964f1538f5b4f7c6c64721e4f2f1a831815598faae84cac53305c03f5cea6e66acdc110a9a5117eee191345ea004b9576c752122f8d88f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
Filesize
567B

MD5
d055ce625528e448c61315eaaef5bb71

SHA1
029df4c872b1c154f32e7fe94f434547c3ba6192

SHA256
85bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705

SHA512
705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247

Download Submit
memory/3736-133-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/3736-134-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/3736-135-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/3736-136-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/3736-137-0x00007FF90E8D0000-0x00007FF90E8E0000-memory.dmp

Filesize
64KB

Download
memory/3736-138-0x00007FF90C150000-0x00007FF90C160000-memory.dmp

Filesize
64KB

Download
memory/3736-139-0x00007FF90C150000-0x00007FF90C160000-memory.dmp

Filesize
64KB

Download