1f23a8be2e3cf81e2ab11b38df69ef7666e7925621854c062678e0aef5a8a5c2

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

consult.one
Size

253KB
MD5

3c9dd604080dda485452751854ca892d
SHA1

c8eb2fa1e512d59dc0d8d2c4f857a37e45ddb988
SHA256

1f23a8be2e3cf81e2ab11b38df69ef7666e7925621854c062678e0aef5a8a5c2
SHA512

f62ddcbf1965e95c9571bc0769aa0e9192fcd6767becff27547faf38cd0daf5d110ab2a5928d78eb168c0b9c912211bf3c7308605a99b941a876b0b140104bec
SSDEEP

6144:7kIk+ai6laI6gfUOqa1fmioLyVmWsdYkB:QaI6aF1fmYEv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
652	ONENOTE.EXE
652	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
652	ONENOTE.EXE
652	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE
652	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\consult.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
8KB

MD5
7de39544f18854d1ec0560c9999fc2ce

SHA1
3ab0d32f44a4166166065514d4d87a9b842f1002

SHA256
d01e506b64751978eb317b96d532cde3401c033fd3789826020b6bac2fb1db0b

SHA512
d7cb6a1f38eb7b712cd276c42d4186cfde2c2d7428bbd02ec3257ddb17295ec6b894d123e8ca39c6b777560d107e8ffbc98056bd3e0820477d81fa15b6fcc403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
127KB

MD5
ac14a325940aad98a15ed292fb20e67b

SHA1
c6c5015550be808cc9b6f8d2275f4ef8fc4b3f1b

SHA256
c53fcd0440d49f064225b91461d4119c0fd9b2075b2115fd663a793b9437856d

SHA512
57da768df58e0aacac7471bc2359258ade2972417ebbef23cb93ecb5b272499c6766c8d740fb08c65f0d82ad8b5126bdc83c369f1df5dd15a59b179c7d5897e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
885B

MD5
04734c91e7c2c2b29c12ddfdd9f913e2

SHA1
83c8bb5b99ebf3c584c322ca24e8630fc278cd31

SHA256
527eeb788359e2a29f4ce98f329d016eb0ec283c3dc6b851e7bfac8e861df83e

SHA512
f1f51be86e5314fb2a7165d22962fae2fdaa038240c793b0c95ef24196d2a245fc604d0dc8b076c120891316c49d9632158b87f9d8efa6a4733292fa3b47f678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
92KB

MD5
47cf95b5474b344e3a2147e153bcc099

SHA1
a2aad4bcb9f17c59144d60ac174b95346ca80e70

SHA256
c81fe29664ca414c7e27a3bedc7da73be6021efdaba7e98fc15a059f7f9ed505

SHA512
82fe3782e16a313c98c6b27d4fc9c7e7fe1600f28abfcc53e895c1918044072d7a0d760f106e9db1a93a3b52dbf5e24889c3975a875c23a31e5e86282006d358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

Filesize
8KB

MD5
e300a31c3170e1a9d6047f542a93caa9

SHA1
21a1d5d8c9508f0d67d82a2ca903f5c2bcb6f895

SHA256
69f247656d4f7538c6e7e8200bb67082b3e84fbcfd6302c7dadde5f61a6f6c3e

SHA512
3b6d02ecadd9a3f9fcbb8fa65c71eaeb2e1027e900e20c79d5fed833f855930b22e7767b098c42aece3b90327f8fd36a3ed7e44609a11fbcf5bfd3b54078d910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BQ.bin

Filesize
2KB

MD5
58d7dd282821f4bfacd9e99cc73ac497

SHA1
197c5e5cbfe9526f77c4a8b6dab1ef115b5128a0

SHA256
0b0ef12a7ebc515fbfcab1150faecca4705e0450f631de8e8a6223069e61678d

SHA512
ed26453501e3e783089eb051bd5503fdf98ab2e25a18a3b42fc700a5f232666a4f39ae8e7d1f23357d05257c7890eb4fbbc684cda07ca83ef2b721cf4c5ad10d

Download Submit
memory/652-136-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/652-139-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

Filesize
64KB

Download
memory/652-138-0x00007FFAB4000000-0x00007FFAB4010000-memory.dmp

Filesize
64KB

Download
memory/652-137-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/652-133-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/652-135-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download
memory/652-134-0x00007FFAB6490000-0x00007FFAB64A0000-memory.dmp

Filesize
64KB

Download