207ebd8dfc3114138805a060f88b82e9e364663dde0919a8c1be27b4ed47785e

Analysis

max time kernel
146s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doloribus.one
Size

141KB
MD5

d794d571bc5399d0701fddd53e16dd12
SHA1

e2fed2d476ccb5e04f783b03fabc8d289d37df89
SHA256

207ebd8dfc3114138805a060f88b82e9e364663dde0919a8c1be27b4ed47785e
SHA512

2a5851c66a9ff3634e436893e2433cef7a57da5afb8882a7c7b836266ac21b3aff9772f29b63f08bfc7e34e43746faef607a46d55b1ed6577eca33da4c63bb2f
SSDEEP

768:8WRzKX0UVteeKa0pmW9QHfXNJJSYPiVLjyJV:NUVPKaemWiNj7PihWJV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3004	ONENOTE.EXE
3004	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	ONENOTE.EXE
3004	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE
3004	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\Doloribus.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
58KB

MD5
ae84bbbaa3120b7059553a92efc5ca2b

SHA1
9f99e48623e80d56a586fb478da11aad5d859820

SHA256
e1f39e5de392a7eb7bd320643327b6df70dba6f9d46715247c00a74f7be8dbf3

SHA512
ea28f7fbb33a80c7bf84628329c9a5225fbf3d946628fdd055e375f17bcb9ad2d539bd84ad5c29368f26fd737b58f22b13ff061272e30ec9f586ee39d2e0f7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
1KB

MD5
2a73c361081922a4c84395afd79174e3

SHA1
d2c5b559524ee131d3e3c2885716e13f35a09bc2

SHA256
60a5377439f3b763a09fc7629d776920b48380b7416552d25ec0e9cbf0f3e6b3

SHA512
fdea66137a4a3f445f617fe7224bfde66c4698b3063ee8ce79a3a7a51ce38f437cc6a281bc68ad82b6b00cdcef91d660baddf2b7287b509291ee40205e4a5bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
49KB

MD5
8aadb73e83697cab13bf57fb385e7fee

SHA1
b1dcc51a3c195ed4c6aa060959584a1ce5c1d0fc

SHA256
b8050a775058995edf17f83db66973ea3e31f8e2e4cc24988679de5418ecb7f8

SHA512
5cd8788b76a3dc7cde4beea8bf14be1fb31564fbc907fc7c87050431ccc1f1aa39829057eefc20a11e91f6f02e0d33b3b51c796500fcc61c0e1dcd3fd7c911bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
16KB

MD5
a21eb8916f2a2f07793c819768a8bbd0

SHA1
b3f552a13e83a4382306f257089b5f2f18a1760d

SHA256
8836467d62f1dd5a5fcfc334668a81bc39579642a57355ca1c78575c891741b5

SHA512
cde9ca8a66d352dbfff36426986f1604e7097c092e9fcfe348a35262e1c33d6e89b21140e085f22ac8ea16a0948b91a9bdefacaffb1125ed61dee7917ac4e9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

Filesize
3KB

MD5
d16a6923d2106a2c4d8391a789b21333

SHA1
953249d08afc48571b3988fc381d1418adf5f062

SHA256
4f875944d822200dd0a9f822692fb1540c9fffa4da3d38f3ddec7bfe0d06680a

SHA512
0e4588b195d32959830bd6deaf36d3a706e6049eea8cd3aff759c5bdaceef97283b22c5c3e97dde74414baee4d605249050f2ddf63fd79811947cf31810db9de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3004-137-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/3004-139-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmp

Filesize
64KB

Download
memory/3004-138-0x00007FF9DEB10000-0x00007FF9DEB20000-memory.dmp

Filesize
64KB

Download
memory/3004-136-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/3004-133-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/3004-134-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download
memory/3004-135-0x00007FF9E0E10000-0x00007FF9E0E20000-memory.dmp

Filesize
64KB

Download