8fa524ff4991ea7d9bc80b60f8c1697f09a7c77be8b3e599471f8906a0768927

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec.one
Size

203KB
MD5

058978e5a0620ea2acec6da70c93683f
SHA1

7f3bb69b17787470e01d4081104ac5ad012a0cde
SHA256

b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec
SHA512

9f541872159512804adcc601391de4f05f2abc067a465f21fd8d9bb8eeba41f8e85f31a1d0e32600b23760f9dadd8530908e9b775c9ee8aee71119335b4bf69a
SSDEEP

3072:NqVr2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYTffD:cARiltZITy8ufjLQsBUlgeMYDhZ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3152	ONENOTE.EXE
3152	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3152	ONENOTE.EXE
3152	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE
3152	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
1KB

MD5
39030c475ba311552e78174ba337615b

SHA1
f2e37ac347c896feea522c5f3704542ca8f0f02e

SHA256
6cdcf077660b980478c33bdc9870262f3e3e83daeef0729d36a65f18ed58423c

SHA512
d66586a111f61166cceef805944f9f9d57ecf8e75d722703d81340b248cb5ed51798b83f4f93853a15464910981d8bf4194f62aca12afa27a929113ebc3538ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
182KB

MD5
df4da1ecd4c50871a1c4315f571e4402

SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865

SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8

SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BR.bin

Filesize
5KB

MD5
ddb6da5a6385b9a062409e605c66f682

SHA1
1bd7c007c7c513e569334190bd90ddd31757b4d6

SHA256
745d625feef00994fd9516198cb31383c33ab7f6e7e115c1415516d7c822d257

SHA512
61b362aad4a6951ac5872c4708ff2c0a5995a3debca7c7a4a31122cce54c0ea43e2321054ff85474dafd1b7b3e9e872cdc12dd33aad2c284355f069fe0a8c049

Download Submit
memory/3152-133-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/3152-134-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/3152-135-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/3152-136-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/3152-137-0x00007FFD55D90000-0x00007FFD55DA0000-memory.dmp

Filesize
64KB

Download
memory/3152-138-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmp

Filesize
64KB

Download
memory/3152-139-0x00007FFD53D30000-0x00007FFD53D40000-memory.dmp

Filesize
64KB

Download