bf8c7c35cb5b8f47ad7fe7e89322960e105efa754360953ca854925a6b914092

Resubmissions

20/03/2023, 10:38

230320-mphanada32 4

20/03/2023, 10:35

230320-mmszdafa2x 1

08/02/2023, 12:12

230208-pddt7sab3y 10

02/02/2023, 19:16

230202-xytp6ahh4w 1

Analysis

max time kernel
146s
max time network
130s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/03/2023, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Legal Notice.one
Size

639KB
MD5

089299c68133a02272f7a05a66688c17
SHA1

3f458042e06bb5c9422d5950478003d058d3facc
SHA256

bf8c7c35cb5b8f47ad7fe7e89322960e105efa754360953ca854925a6b914092
SHA512

e9f9c1b9b4f6e53f2a8d456180573f28740eee114846e943fd4d9958dd69f6a1db68f9db2878e3e4f823d24b33edf6b619cdffc9064c6ffc114190e654a2ca5c
SSDEEP

6144:BN1HPGSx/IRbNPYCVa/68JDjUFQ5uB3c0U9lQcUgAyap70nGWOFX0YdXb9pYzjHc:4P

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3232	ONENOTE.EXE
3232	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3232	ONENOTE.EXE
3232	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE
3232	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\Legal Notice.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
1KB

MD5
09cdda009a19de19700290d12773af42

SHA1
67e2e2051d1783f52dbf8d1f15f004f464449503

SHA256
255c6d8a5163b9623fb72cef588acdb203c7bd131ca5df764dffbbc0d0377be7

SHA512
869ca1c8e00659ec39bb72e0508e530b5d0be26cc6da95bad9465445985bf236a960760730f81544a047f192b32a145e35cca5f322a990e91131d7520213fc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
2KB

MD5
ef7f9739337bc657cd0a63e32e27d0a1

SHA1
bf67555a7272f24ceb57b1c49e4cf37dc17b246f

SHA256
a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c

SHA512
e3d0a14ac1b9165e75e619aa6f76058a4c799bb722abaeafac977c35f31ab10ad8c8a51c7f3828bb896cbf339f971974a4fb26421ba6aea52530ac84b7785ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BS.bin

Filesize
5KB

MD5
0229d876e9208270eceaa3a65accbdde

SHA1
7e877897ffa6361398de4ce4cfa7967706df2654

SHA256
724b2585435f79a64a431a5917062a6413a50b3eb125f1e301082fd5d2c74bbe

SHA512
b5b3167e55103cb261505b6054cbfd2839931b2249710597a30387e3cacedceca4c6d2e49f1312b481585e6926f43371a2a695ab23fe96ce821e6b64b131a1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CG.bin

Filesize
25KB

MD5
39f3c510f46d605202844e35c07db84b

SHA1
8fb4f21a601abf2a3bd76a299e57d41086b186cd

SHA256
e501319e9297fb68c79bdc32bada702d6f38f14ae3cd66e915be0aca98a83c82

SHA512
99634147bc20bd8282a9237d1320bb36aa70f7428e783aea339ec165eff2fd4523b5c6aa932653f917be52553586d393f52f0f977d8ccda0dcdd176800d08739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000CH.bin

Filesize
239B

MD5
088833d5a4fdcd105a34657922326f76

SHA1
2a85eaa5121e27d6aa8f9d0c9d4c50620126d04a

SHA256
f3148b2cf70d225a76261e270e734f55d484d9ecf00b2dbd052d52fe40bd636c

SHA512
b988c05cb0192ef03603d002aeaa790016768039ed3177932e5cb2bbad988e6ebd83b2db9d4a2f0761fdffa49ee28c8dd4494cea77dfac1bfb58dc1dadfdef91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000DE.bin

Filesize
327B

MD5
9cc9eb32f6ed4a3cef2e62e258895f95

SHA1
a63afe909216236bfeecf218451ae7c873569ede

SHA256
6aba4057f21ee84df8dadb61c5060624ca06311b6268a93d41766bc7e26b4789

SHA512
4511173be3321ca3a72d0b83b3044ef02cd4a8a2ab5c9ad910672bee03e0c8442d6b20de414da31504ec08e185a13e343a1ad09c671cf23e1d20d2781d1e45d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FE63DCED-833B-4CAE-A06F-DD875B14E0C4}

Filesize
2KB

MD5
558da264c83bfe58c1fc56171c90c093

SHA1
5e7216bb407cb7e0aa5a932ceefbd27986df6e08

SHA256
7b96da9c88b9ad7a56fdc220c0a68a196f8ce46e2247cd1c6cc26d6a4f12f870

SHA512
9fa73444caf3cfadcbd5edf8b55a733d6dd114d50f26759f1d882379a83f1d1015bb7e4e183b7e8e7b03a35610d91415846978131855968f7fc7db14eed21d98

Download Submit
memory/3232-123-0x00007FF882940000-0x00007FF882950000-memory.dmp

Filesize
64KB

Download
memory/3232-124-0x00007FF882940000-0x00007FF882950000-memory.dmp

Filesize
64KB

Download
memory/3232-120-0x00007FF8861F0000-0x00007FF886200000-memory.dmp

Filesize
64KB

Download
memory/3232-119-0x00007FF8861F0000-0x00007FF886200000-memory.dmp

Filesize
64KB

Download
memory/3232-118-0x00007FF8861F0000-0x00007FF886200000-memory.dmp

Filesize
64KB

Download
memory/3232-117-0x00007FF8861F0000-0x00007FF886200000-memory.dmp

Filesize
64KB

Download