Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 02:20
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE00000096752 for Hanwha.one
Resource
win7-20230220-en
General
-
Target
INVOICE00000096752 for Hanwha.one
-
Size
256KB
-
MD5
2344e967810c8b202d6bd998a9911083
-
SHA1
1bfd3ac34cf8723ebadedd95edadd2d13cbb4b29
-
SHA256
82bf467d5e1f222873695ad23ef1acc82326894eb166f5dd26842e3e12d867cc
-
SHA512
2925e66e14212b15df02da1104c309dabcdb53b77746081b14cc0defa2f6d5b35f9a6b6f5da15a752353fcb054c1a54f43fa92a2cfb0d16bf0f46d24a1d68b3d
-
SSDEEP
3072:/mUzUfxJ3mY2IsGllOb3HPWaBt5eHrBwsAzUfxJ3mY2IsGllOb3HPWaBtR:SXm5ZGa3v5eHrBwszXm5ZGa3vR
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WScript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process 4988 1484 WScript.exe ONENOTE.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
wscript.exeflow pid process 84 800 wscript.exe 86 800 wscript.exe 89 800 wscript.exe 91 800 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1928 regsvr32.exe 1532 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 84 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 89 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 91 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid process 1484 ONENOTE.EXE 1484 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ONENOTE.EXEregsvr32.exeregsvr32.exepid process 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1928 regsvr32.exe 1928 regsvr32.exe 1532 regsvr32.exe 1532 regsvr32.exe 1532 regsvr32.exe 1532 regsvr32.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
ONENOTE.EXEpid process 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE 1484 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ONENOTE.EXEWScript.exewscript.exeregsvr32.exedescription pid process target process PID 1484 wrote to memory of 4988 1484 ONENOTE.EXE WScript.exe PID 1484 wrote to memory of 4988 1484 ONENOTE.EXE WScript.exe PID 4988 wrote to memory of 800 4988 WScript.exe wscript.exe PID 4988 wrote to memory of 800 4988 WScript.exe wscript.exe PID 800 wrote to memory of 1928 800 wscript.exe regsvr32.exe PID 800 wrote to memory of 1928 800 wscript.exe regsvr32.exe PID 1928 wrote to memory of 1532 1928 regsvr32.exe regsvr32.exe PID 1928 wrote to memory of 1532 1928 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\INVOICE00000096752 for Hanwha.one"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{BB494AD2-0732-4630-B9CB-D0F60DB5EEBB}\NT\0\press to unblock document.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\rad68BAF62DBdarrad86F0585C3dar.txt3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dll"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CxPAOAxN\iYJTsg.dll"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.binFilesize
89KB
MD57559f0ff4f7e58ed031fe0b4438f4c57
SHA1e2225573a8877c057319e10029fd85b0a51375a8
SHA25673527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2
SHA512252d0a52c3b7bca5ea56a14c7ad1e27967b03e3dccfc3b8d79b8e1c474ed625937719af314e74f62583c708b45b937091e8fae7f1e40e56bf261d0f839f94e4a
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.binFilesize
75KB
MD5f776dd0f1ae059fcf295ade6c5495080
SHA1ed270bfe2edb7e571ba4acf4b4088aa2a111e57e
SHA2562130a3bc8050310a7474be0b17a4ea8584e2105cb17316cb463d732665745749
SHA5122558ab6465af8a782ad02295744cd2d554d03c1ee7aa1689f13e3507a0cec4e73b9f86d1ec9aef346b831ab58758285a8ceda63dc0f834e1378dfa0504490f65
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.binFilesize
567B
MD5d055ce625528e448c61315eaaef5bb71
SHA1029df4c872b1c154f32e7fe94f434547c3ba6192
SHA25685bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705
SHA512705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247
-
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{BB494AD2-0732-4630-B9CB-D0F60DB5EEBB}\NT\0\press to unblock document.vbsFilesize
89KB
MD57559f0ff4f7e58ed031fe0b4438f4c57
SHA1e2225573a8877c057319e10029fd85b0a51375a8
SHA25673527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2
SHA512252d0a52c3b7bca5ea56a14c7ad1e27967b03e3dccfc3b8d79b8e1c474ed625937719af314e74f62583c708b45b937091e8fae7f1e40e56bf261d0f839f94e4a
-
C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dllFilesize
274.4MB
MD5f26de64a360acf19c61a826ebb388e9d
SHA11c324e985cdb16ecf1e138891b80965a0bf7734a
SHA256dafe58840942185f4e1038a84b5ba2caa0055e3f0519caaddfd81c5b4a09dec1
SHA512b7e15a0b100e367951207b9fe19d4d9747e8eecac697ae298e07133e3dc17edd27bb462a51eab4f32ce82b75ea2a4d55bc8ae7a767fea8d189e4637e77e62030
-
C:\Users\Admin\AppData\Local\Temp\rad481F8ECA9dar\jy56SDD2.dllFilesize
337.7MB
MD54b10cbc0ac9c4c4339d3ad578bc2fbcc
SHA171aeace67d37e69436f194e77dee851523af471f
SHA256ff78e2a1aa08842f9d07a1604427a74ec9ca30fcee3163981f909674cc2c75b8
SHA51206af9ebc1895af98a4a8b3239f239d01ae89e0accbd2e4e5fee10ac5ec5accd17cc97cbfd80a53ced850c19ceb4d1da9508a3e46603754a9e0bef7dc1e39a097
-
C:\Users\Admin\AppData\Local\Temp\rad68BAF62DBdarrad86F0585C3dar.txtFilesize
61KB
MD5958eb4fa0bfca295216cd6027977fcb8
SHA10bc88fb4229a73152b2c33750dd5b5be52fcf287
SHA2569b32ca5d8a34ae2351bc68500fb6929468c42d0ddda53fba5676410beab6d498
SHA5124e4e2d84ce82eaa222180e86a2feaa7fdb19108d227ca922c69d30e30ef1ed463c41d540c25f604edd04be86f8490ae8570d2b67a97e0f9f45d048954d32787f
-
C:\Users\Admin\AppData\Local\Temp\rad8EE2D.tmp.zipFilesize
966KB
MD557168f6ddf67ddfe7b6cdc091d287822
SHA126332d19f263d39bfec79c71d49e544cf621b9c2
SHA256060a8aa4f11d02a1f936b594b8a5af15cc93729119c5656ad14e42a846e7b629
SHA512bf9ccd1a85596d1871f85886038a13839cd342d4a1bb3a6f2b1909f0365e2cd6e493d44973abd48bf07f8fc44ed13a4ea880ec9680ddd40642f05356cfd4d964
-
C:\Windows\System32\CxPAOAxN\iYJTsg.dllFilesize
285.8MB
MD51578503907fb262910bd32c7a9b09ea5
SHA1108364e01437f5142264781d90f4027244748faf
SHA256cfa6cdfdec5b47a77c9d92c258989884086992348b5e7687b2de66f00ffc0f98
SHA512520e560561b6bbe8e8ed2b6eb1997b110ebf193d0a64de98174942c83544a27d64c9eb77204fd13893b459f6b831caead6e015a73dd3cf73dae74dcb13ba30fb
-
memory/1484-139-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmpFilesize
64KB
-
memory/1484-138-0x00007FFF7B470000-0x00007FFF7B480000-memory.dmpFilesize
64KB
-
memory/1484-137-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmpFilesize
64KB
-
memory/1484-136-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmpFilesize
64KB
-
memory/1484-133-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmpFilesize
64KB
-
memory/1484-135-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmpFilesize
64KB
-
memory/1484-134-0x00007FFF7D890000-0x00007FFF7D8A0000-memory.dmpFilesize
64KB
-
memory/1928-234-0x0000000002A80000-0x0000000002ADA000-memory.dmpFilesize
360KB
-
memory/1928-238-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB