Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 12:33
Static task
static1
Behavioral task
behavioral1
Sample
3.one
Resource
win7-20230220-en
General
-
Target
3.one
-
Size
262KB
-
MD5
4d7bc3b850efbc82f308c643baaeaeef
-
SHA1
75331af62f293024148bf13166a167c5b7625634
-
SHA256
6d6ea415b2fb071f362beba3a14de4afed9378d3e9e73380cac956f9541e1057
-
SHA512
1b68387ff3aa92b91192c7b5de9d8c2de819e6426859f1d554a13ea8e332ef0ac957f4870988af76e57f9629d91418b53cd84b3e3600f760bdb3e6caa288b785
-
SSDEEP
3072:kNjcvQx377FjDDRX4UzUfxJ3mY2IsGllOb3HPWaBtOzUfxJ3mY2IsGllOb3HPWa7:kmvQp1DRXKXm5ZGa3vRXm5ZGa3vuVw
Malware Config
Extracted
emotet
Epoch4
213.239.212.5:443
129.232.188.93:443
103.43.75.120:443
197.242.150.244:8080
1.234.2.232:8080
110.232.117.186:8080
95.217.221.146:8080
159.89.202.34:443
159.65.88.10:8080
82.223.21.224:8080
169.57.156.166:8080
45.176.232.124:443
45.235.8.30:8080
173.212.193.249:8080
107.170.39.149:8080
119.59.103.152:8080
167.172.199.165:8080
91.207.28.33:8080
185.4.135.165:8080
104.168.155.143:8080
206.189.28.199:8080
79.137.35.198:8080
103.132.242.26:8080
202.129.205.3:8080
103.75.201.2:443
149.56.131.28:8080
5.135.159.50:443
172.105.226.75:8080
201.94.166.162:443
115.68.227.76:8080
164.90.222.65:443
186.194.240.217:443
153.126.146.25:7080
187.63.160.88:80
209.126.85.32:8080
72.15.201.15:8080
153.92.5.27:8080
167.172.253.162:8080
147.139.166.154:8080
163.44.196.120:8080
183.111.227.137:8080
139.59.126.41:443
164.68.99.3:8080
188.44.20.25:443
94.23.45.86:4143
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
WScript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process 4264 4756 WScript.exe ONENOTE.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 63 1224 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 116 regsvr32.exe 3944 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid process 4756 ONENOTE.EXE 4756 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ONENOTE.EXEregsvr32.exeregsvr32.exepid process 4756 ONENOTE.EXE 4756 ONENOTE.EXE 116 regsvr32.exe 116 regsvr32.exe 3944 regsvr32.exe 3944 regsvr32.exe 3944 regsvr32.exe 3944 regsvr32.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
ONENOTE.EXEpid process 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE 4756 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ONENOTE.EXEwscript.exeregsvr32.exedescription pid process target process PID 4756 wrote to memory of 4264 4756 ONENOTE.EXE WScript.exe PID 4756 wrote to memory of 4264 4756 ONENOTE.EXE WScript.exe PID 1224 wrote to memory of 116 1224 wscript.exe regsvr32.exe PID 1224 wrote to memory of 116 1224 wscript.exe regsvr32.exe PID 116 wrote to memory of 3944 116 regsvr32.exe regsvr32.exe PID 116 wrote to memory of 3944 116 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\3.one"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{533BB209-760D-488B-8AB6-868674A2E7DB}\NT\0\press to unblock document.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\radCBE9233C1darrad5482FBBCEdar.txt3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dll"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymjvqHiTBKWZ\cusTokZNOdzbR.dll"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.binFilesize
88KB
MD59eae6f49a02d6eb9f75af7bbf4349808
SHA12caf7ddeb9fc1d6076558661ef69b9638cfd2e7b
SHA25631fb4bf411dcd7fcb860bdb1db26859290b047b39b94638a7d4fd2a46d323e98
SHA51237b45c58efd8c2bee66c30bca4a3777d5b6ba39e97d34baa8e7bc27fb083397d818a2708cbcf7d4704398fdfff4cbc17abff68b33294292413527702c1ad7eef
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.binFilesize
75KB
MD5f776dd0f1ae059fcf295ade6c5495080
SHA1ed270bfe2edb7e571ba4acf4b4088aa2a111e57e
SHA2562130a3bc8050310a7474be0b17a4ea8584e2105cb17316cb463d732665745749
SHA5122558ab6465af8a782ad02295744cd2d554d03c1ee7aa1689f13e3507a0cec4e73b9f86d1ec9aef346b831ab58758285a8ceda63dc0f834e1378dfa0504490f65
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.binFilesize
567B
MD5d055ce625528e448c61315eaaef5bb71
SHA1029df4c872b1c154f32e7fe94f434547c3ba6192
SHA25685bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705
SHA512705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247
-
C:\Users\Admin\AppData\Local\Temp\radB4DDC.tmp.zipFilesize
951KB
MD5201268492f67b84d4c6a747a3bb3c5ed
SHA13d891ff2b5accb39007cc8f9b8bcd1c5dc8e9628
SHA25614730408e69d2edb6ea360dd2528b3d06fc274b2625c129ad15510ec999994ab
SHA5124361c713b5e10f7c587f8aef7d8c694e6c22f2bf9172393359f7f9343e844c9ab7a70c71486416f80148a7cbe0af919c51deacd59460304014966b15eaecaebe
-
C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dllFilesize
440.3MB
MD58ae7eaa28060089b61501c7c22347f76
SHA1a10f01dd8d961a0f411da3d5692be3a42316f25a
SHA2564f2751ac92395f0269e6965bb6faea56caf64448a1ebcdb156da1745b33f1baf
SHA5124d4acef339f260ac07f287876870c5a5747a026c6402cfa54b35af126ef46d0b2b9706158d25851f96c817e36c318d8da48db7dad78a138d50fe3a32a11fc4a9
-
C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dllFilesize
511.9MB
MD50586fe01aea41856828a347dddf2121c
SHA13b3183691cede18ff4a8b35104c3dcc99c2583f8
SHA256c8a777959691f310d36c30f18f10f523be55fe55c86f7d3b556bd31ebb5d6126
SHA51237b99147f938426c81bd0628c99775ca8b94667bf4a2eab5660e301e01cad348c2552f74e9cdb97994e1f29aa7cd30d4c83e294f9e01a445034177f174a71c79
-
C:\Windows\System32\RymjvqHiTBKWZ\cusTokZNOdzbR.dllFilesize
409.6MB
MD5b3d059a946d1869dd07c16c4272f8deb
SHA127eaf912be6ba5543cac2ca19f8786478c275dc7
SHA2562bdd9c01136559fe93484dc6a75ce5c452552a05406895f7a786a08db532d1a6
SHA5122d89258b20cee3b1a36b6161e0c4bbcdfdf08030cf515ae99ed320a85ea294e175c3804116062afa8d53325cee0d0ca5d011a2fef7eb0c7005de9c63756abc3f
-
memory/116-217-0x0000000002710000-0x000000000276A000-memory.dmpFilesize
360KB
-
memory/116-221-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/4756-139-0x00007FFB14960000-0x00007FFB14970000-memory.dmpFilesize
64KB
-
memory/4756-138-0x00007FFB14960000-0x00007FFB14970000-memory.dmpFilesize
64KB
-
memory/4756-137-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmpFilesize
64KB
-
memory/4756-136-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmpFilesize
64KB
-
memory/4756-135-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmpFilesize
64KB
-
memory/4756-134-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmpFilesize
64KB
-
memory/4756-133-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmpFilesize
64KB