239ef6d53cade1d87bbe2407b8d78ce99e094147877da0de499322ab7dfc6b2b

Analysis

max time kernel
529s
max time network
444s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01-attachments-3-examples/Message 167168370508.one
Size

293KB
MD5

b951629aedffbabc180ee80f9725f024
SHA1

73c17369f2c4e3ce36d4f8917d011dde9a26eb07
SHA256

a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968
SHA512

108efb4b68175a4f98f6153c6c88401255119b41ce7cf4224c571c587c3e4a145af1f999feb7dd9e2fe37324aae09cd367a3100c2d997c8836cf3120e395da29
SSDEEP

3072:Q7pvc2vetOepE76wtghUVkJlD1HUjCu/tewu4UhKg+012FYrQAwNLhbrUzJr9EQ3:Q1veXwtVElijRcwuzKg+NAw3bI/Z+9mX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

4108 ONENOTE.EXE
4108 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ONENOTE.EXE

pid process

4108 ONENOTE.EXE
4108 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	process
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE
4108	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\01-attachments-3-examples\Message 167168370508.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin
Filesize
708B

MD5
25cc34afeb6ebbe685bb3d34ecf0ed03

SHA1
56e158953158721f21a70a523f3364e8989c10ac

SHA256
4c25aec7c690c54344e24261ea3e716d475537c3266e3859ca459dc68d7c905d

SHA512
efd6761d19db66855139912f3d29db8927035ad7e4ae4904a47748a52c5dfcc21b2cc77beed4befbeb67b1d085791cb3457a8c5bb8f94cc4ce015f09fb3a4134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
Filesize
124KB

MD5
9e346695bbc4291bc769f98be9e6a5e9

SHA1
3396a0f6e6270e798fadae572d1a914ebbbcd944

SHA256
f25f69c71066b18364cd405ae80048a8b615c4b0f2cc4cb51b916ef08ba246db

SHA512
60f9fe65730a3341d6147669b8dde56f0055b7e05f8150de4a3f316d8eeab22c5094dc70e252bd6667189fa28649a404a51deb8e92e4044d4a9d196bba1921cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
Filesize
85KB

MD5
b85e5767bf5001bd8c48ddad3250d1c0

SHA1
8e6f41ef924727493587494e0bf5facc9b40bbd0

SHA256
b83680379ac89b857c64e28eb7dfdeda7ebc1d83de5a25799926ad3860fdc0fe

SHA512
cb66f3441aeef054fda04c8f60d3e5406cde8ac24da81bd601425de5e4e96292cf9d902a9e7d9e23b45fd9d2d6fff4dcfdb2311963b14fb8cb6eb49a4dee0bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin
Filesize
41KB

MD5
1beb6cb6862e215a84ee058f430b8036

SHA1
14562b101e8b0d1826da79bffb88633154c304b7

SHA256
31e98a8bfc9d5317f3f3fecd28d23b707756d3c3f106b41ba0570e31920ebc8a

SHA512
ef09ffd7ccb1c8a6a033358cfa40c65ba39a5c4c9d987792555e9956301763ab9382a0024070c4dd5f5e96bde8f10231a78a36fb697509cff2380028f4eacd7c

Download Submit
memory/4108-119-0x00007FFD839E0000-0x00007FFD839F0000-memory.dmp

Filesize
64KB

Download
memory/4108-120-0x00007FFD839E0000-0x00007FFD839F0000-memory.dmp

Filesize
64KB

Download
memory/4108-121-0x00007FFD839E0000-0x00007FFD839F0000-memory.dmp

Filesize
64KB

Download
memory/4108-122-0x00007FFD839E0000-0x00007FFD839F0000-memory.dmp

Filesize
64KB

Download
memory/4108-125-0x00007FFD80340000-0x00007FFD80350000-memory.dmp

Filesize
64KB

Download
memory/4108-126-0x00007FFD80340000-0x00007FFD80350000-memory.dmp

Filesize
64KB

Download