7dbc46f64248c54bba49b70c723f5dbf04058c3dc195dc1e142c36bf8b5675f9

Resubmissions

06/07/2023, 12:57

230706-p6wkqacd6t 3

06/07/2023, 12:52

230706-p4ffqabb37 3

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 12:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe
Size

232KB
MD5

34fd848f1ac40ecf35590b053cbb8257
SHA1

9ddc927e109a3159635bc77151942184cc1abb2e
SHA256

fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4
SHA512

2cdfc63d5d9a337193a4640ddb8d438d53259253b0c7dd7fed4f4f751c79a18606f1c15a75fbc954699c95d2decf9478da7234b21d9e35d8d7ab51946ee78d69
SSDEEP

6144:6v5z1JO92UbEJoa5DdnMPSvr2gSjrMjZOjH:am5soazMqvrHSq8

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3256	1644	WerFault.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
492	ONENOTE.EXE
492	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
492	ONENOTE.EXE
492	ONENOTE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE
492	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2192	1672	msedge.exe	105
PID 1672 wrote to memory of 2192	1672	msedge.exe	105
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 2796	1672	msedge.exe	106
PID 1672 wrote to memory of 4728	1672	msedge.exe	107
PID 1672 wrote to memory of 4728	1672	msedge.exe	107
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108
PID 1672 wrote to memory of 1496	1672	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe
"C:\Users\Admin\AppData\Local\Temp\fcace809a9425f599f98037296b2a1cb7689bf3df40994205147b053b317fca4.exe"
1⤵
PID:1644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1644 -s 1116
  2⤵
  - Program crash
  PID:3256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1644 -ip 1644
1⤵
PID:1528

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault29ece247h71c1h4ca2h93cdhe2cf0160fe72
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff934af46f8,0x7ff934af4708,0x7ff934af4718
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6883741801381960818,3749300327631050796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6883741801381960818,3749300327631050796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6883741801381960818,3749300327631050796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b950ebe404eda736e529f1b0a975e8db

SHA1
4d2c020f1aa70e2bcb666a2dd144d1f3588430b8

SHA256
bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4

SHA512
6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d78cf626ff65ea4c9b84f3d80b4b3683

SHA1
6a841370aac1985972372958c3fc77b2f438512b

SHA256
2a634e3f9c81a30c0503ad0b7b39034c6b9ffe6b5265589b0537f2f6c7c66530

SHA512
eb23b8ab7734c069facd0d123053966cf00177f01d3979dbc74b28eb4aacf315d462971641837b0ce03da564d4cdc009ccd358385f330b294fd701a2fe9ca5bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
1f60b37e58df355d9f367b8ac1f3c944

SHA1
73986b504e793519d36a062282262b186420385b

SHA256
30d8f69b89243b0f5bf6fcec88a986d67f393616d07a2e6c04b2964317e78717

SHA512
3df2d5586d561f982cacce77c97ce0dea5d0db4c96e8a4ab35c1f8c5c16f119b147a87e3f35eb5ba4dc5c37f288dea10e33ec166b87dd9d3a7d918b9434e6312

Download Submit
memory/492-189-0x00007FF913C70000-0x00007FF913C80000-memory.dmp

Filesize
64KB

Download
memory/492-191-0x00007FF913C70000-0x00007FF913C80000-memory.dmp

Filesize
64KB

Download
memory/492-190-0x00007FF913C70000-0x00007FF913C80000-memory.dmp

Filesize
64KB

Download
memory/492-192-0x00007FF913C70000-0x00007FF913C80000-memory.dmp

Filesize
64KB

Download
memory/492-193-0x00007FF913C70000-0x00007FF913C80000-memory.dmp

Filesize
64KB

Download
memory/492-194-0x00007FF9118E0000-0x00007FF9118F0000-memory.dmp

Filesize
64KB

Download
memory/492-195-0x00007FF9118E0000-0x00007FF9118F0000-memory.dmp

Filesize
64KB

Download
memory/1644-133-0x00000205F0D40000-0x00000205F0D50000-memory.dmp

Filesize
64KB

Download
memory/1644-134-0x00000205F0D40000-0x00000205F0D50000-memory.dmp

Filesize
64KB

Download