2b0b2a15f00c6eed533c70e89001248a0f2ba6fae5102e1443d7451a59023516

Analysis

max time kernel
146s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AT.one
Size

211KB
MD5

78257e7124a0c4f9b7fdef5de59bb5db
SHA1

4b77f4c87f123e7b3a4b24fc7c47b09646a603f6
SHA256

2b0b2a15f00c6eed533c70e89001248a0f2ba6fae5102e1443d7451a59023516
SHA512

8713c6ffa0906d1abd190a9dced04667c153c61b3fc546029cc28148cfaeb479539664f76ff481fb80cc1ed36e6cb602ce6061a1b5855992a1aa5d88062aea66
SSDEEP

768:MRVQBJstupjgzZTTCrEa0pmW9QHfXNJJSYPiVLjyKlRZXaBJhqRlRZXq9+yfYRZI:/pjgz1OwaemWiNj7PihWKmqzC0g

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4296	ONENOTE.EXE
4296	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4296	ONENOTE.EXE
4296	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE
4296	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\AT.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
16KB

MD5
a21eb8916f2a2f07793c819768a8bbd0

SHA1
b3f552a13e83a4382306f257089b5f2f18a1760d

SHA256
8836467d62f1dd5a5fcfc334668a81bc39579642a57355ca1c78575c891741b5

SHA512
cde9ca8a66d352dbfff36426986f1604e7097c092e9fcfe348a35262e1c33d6e89b21140e085f22ac8ea16a0948b91a9bdefacaffb1125ed61dee7917ac4e9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
3KB

MD5
d16a6923d2106a2c4d8391a789b21333

SHA1
953249d08afc48571b3988fc381d1418adf5f062

SHA256
4f875944d822200dd0a9f822692fb1540c9fffa4da3d38f3ddec7bfe0d06680a

SHA512
0e4588b195d32959830bd6deaf36d3a706e6049eea8cd3aff759c5bdaceef97283b22c5c3e97dde74414baee4d605249050f2ddf63fd79811947cf31810db9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
58KB

MD5
8cc611275a64aeab0d949994d8304090

SHA1
2a282f876b89120e2697bbcef32d359528ff24f8

SHA256
1ce755dae322536349969e1c7b21b7d3ecc44d8fb3afbdd5f74785c9a106db66

SHA512
4e8dcec63274096c60167eab9673608063bf94499c9c096ca54d67f613d5ddc6ffd5ad8bd56da217fdec3b4091a8f7fcc3b18ecfd33a4e1b02ea5944eb4399f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
1KB

MD5
2a73c361081922a4c84395afd79174e3

SHA1
d2c5b559524ee131d3e3c2885716e13f35a09bc2

SHA256
60a5377439f3b763a09fc7629d776920b48380b7416552d25ec0e9cbf0f3e6b3

SHA512
fdea66137a4a3f445f617fe7224bfde66c4698b3063ee8ce79a3a7a51ce38f437cc6a281bc68ad82b6b00cdcef91d660baddf2b7287b509291ee40205e4a5bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

Filesize
49KB

MD5
8aadb73e83697cab13bf57fb385e7fee

SHA1
b1dcc51a3c195ed4c6aa060959584a1ce5c1d0fc

SHA256
b8050a775058995edf17f83db66973ea3e31f8e2e4cc24988679de5418ecb7f8

SHA512
5cd8788b76a3dc7cde4beea8bf14be1fb31564fbc907fc7c87050431ccc1f1aa39829057eefc20a11e91f6f02e0d33b3b51c796500fcc61c0e1dcd3fd7c911bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4296-136-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmp

Filesize
64KB

Download
memory/4296-139-0x00007FFA278C0000-0x00007FFA278D0000-memory.dmp

Filesize
64KB

Download
memory/4296-138-0x00007FFA278C0000-0x00007FFA278D0000-memory.dmp

Filesize
64KB

Download
memory/4296-137-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmp

Filesize
64KB

Download
memory/4296-133-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmp

Filesize
64KB

Download
memory/4296-135-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmp

Filesize
64KB

Download
memory/4296-134-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmp

Filesize
64KB

Download