e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85

Resubmissions

20-07-2023 12:00

230720-n6c8psgh7z 6

20-04-2023 11:47

22-03-2023 11:13

22-03-2023 11:03

22-03-2023 10:57

22-03-2023 10:56

22-03-2023 10:41

21-03-2023 21:11

Analysis

max time kernel
119s
max time network
137s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85.one
Size

280KB
MD5

b1a10568aa1e4a47ad2aa35788edc0af
SHA1

dd6ba6ae1680e4245f5ecc22ee12a18b9e16db2d
SHA256

e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85
SHA512

9dfd246820c9d705bd54f3118d581063ceadfdae04d0cd047dc66e19d6a5c29fee0195e7a5671854d5c9886a37a83f85d7e5aacd5d8c8df1cfa13384e3fa717e
SSDEEP

3072:e57pvc2vetOepE76wtghUVkJlD1HUjCuitewu4UhKg+jbJDDO7UckjjwQV:u1veXwtVElijRLwuzKg+jb1UkUa

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process	820	5008	DW20.EXE	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ONENOTE.EXE

pid process

5008 ONENOTE.EXE
5008 ONENOTE.EXE
5008 ONENOTE.EXE
5008 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

ONENOTE.EXE

pid	process
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE
5008	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\e173ecebfd5b01766dd8184250d5f2d442507b9b097e4ced319c246b78550d85.one"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5008
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3108
  2⤵
  - Process spawned suspicious child process
  PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5008-120-0x00007FFC3B110000-0x00007FFC3B120000-memory.dmp

Filesize
64KB

Download
memory/5008-122-0x00007FFC3B110000-0x00007FFC3B120000-memory.dmp

Filesize
64KB

Download
memory/5008-121-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-123-0x00007FFC3B110000-0x00007FFC3B120000-memory.dmp

Filesize
64KB

Download
memory/5008-124-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-125-0x00007FFC3B110000-0x00007FFC3B120000-memory.dmp

Filesize
64KB

Download
memory/5008-126-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-127-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-128-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-129-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-131-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-133-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-134-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-135-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-136-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-138-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-137-0x00007FFC38110000-0x00007FFC38120000-memory.dmp

Filesize
64KB

Download
memory/5008-139-0x00007FFC38110000-0x00007FFC38120000-memory.dmp

Filesize
64KB

Download
memory/5008-140-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-143-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-148-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-146-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-150-0x00007FFC785E0000-0x00007FFC7868E000-memory.dmp

Filesize
696KB

Download
memory/5008-152-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-155-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-156-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-158-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-160-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-162-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-164-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-186-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/5008-187-0x00007FFC785E0000-0x00007FFC7868E000-memory.dmp

Filesize
696KB

Download