86bf38e8d866cd2d6873815ab448f3d97bc7318081e089bdedb15e8fd53ae10b

General

Target

27052024_1408_Quotation.one
Size

19.2MB
MD5

eee6413a9d303163bd2aca586148bc7e
SHA1

00ef96d67ef34eb50c67a29c831ea2aac97000ee
SHA256

86bf38e8d866cd2d6873815ab448f3d97bc7318081e089bdedb15e8fd53ae10b
SHA512

062f201c5b8bd6046787eb13437c1e2a6d66b3d595a85217e13e623a09f5f7c6183f041d7c33f3b556734236f894bfed3f1d3ca95d76bad7d6856b356a47bf87
SSDEEP

393216:rryo9DF23QDxt5L1V8dJB+7/pWYkRuu3HBseZWdp9N5DHTyc:PT9o3QNDR4B+7/pW+ux/O1zH

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin	pyinstaller

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

2652 ONENOTE.EXE
2652 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ONENOTE.EXE

pid process

2652 ONENOTE.EXE
2652 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

ONENOTE.EXE

pid	process
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE
2652	ONENOTE.EXE

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\27052024_1408_Quotation.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
Filesize
809B

MD5
244f9792cb849dbf9c79b8de1555c37b

SHA1
6eca4fc1d2c8b6a0215c21f3362a95a3d47a7ddf

SHA256
09e38048b8ab4bd47887227a36da9b2d7349420d1ad745046a858cf3bfa030f8

SHA512
52f48bf2a7d33ea0b297d2c5999b17613627d6d78be6d447b9c6952f8f55f961c54af0f9e6f6cb7c14bc65daf206876b9640445ebdc56c720fe7c0d95432e4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
Filesize
105KB

MD5
fa3e0a4e4fa661ad1f8937fd47df5f50

SHA1
523a1712954fd9d81a0ec793deebe71a424f3c72

SHA256
b9d296026aed8ce4aaf6c575eec7d54378429afc4b780329f4f4f184bb895886

SHA512
cf5ffaa362f130540c03f696329cd5f2203f9ec6a9a85f39981302c9847a2d0e6295adc61badc0f3249b10ce44afd4a58fe3710c3a01df13a2d8d0f138a34a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin
Filesize
19.1MB

MD5
1a142f941297031dd315b2f3aff3b2b3

SHA1
51eaeab616ef8caf03e2f5e503a6f4aee2792071

SHA256
68754b8b2b5775692c5ad9d53a041848ab02701b660ec457eab3e2b039849864

SHA512
c4b98501a675d043fce6e5a1debe509d11b5673f7246d79f04daa4eed89cb0ea67e70fd292bf2acb1453796fd19d28426c6eb866614ef94f846caaf2d33bd0c3

Download Submit
memory/2652-12-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-15-0x00007FF8298A0000-0x00007FF8298B0000-memory.dmp

Filesize
64KB

Download
memory/2652-5-0x00007FF86C08D000-0x00007FF86C08E000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-9-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-8-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-7-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-11-0x00007FF8298A0000-0x00007FF8298B0000-memory.dmp

Filesize
64KB

Download
memory/2652-10-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-0-0x00007FF82C070000-0x00007FF82C080000-memory.dmp

Filesize
64KB

Download
memory/2652-14-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-3-0x00007FF82C070000-0x00007FF82C080000-memory.dmp

Filesize
64KB

Download
memory/2652-13-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-16-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-17-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-19-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-18-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download
memory/2652-4-0x00007FF82C070000-0x00007FF82C080000-memory.dmp

Filesize
64KB

Download
memory/2652-1-0x00007FF82C070000-0x00007FF82C080000-memory.dmp

Filesize
64KB

Download
memory/2652-2-0x00007FF82C070000-0x00007FF82C080000-memory.dmp

Filesize
64KB

Download
memory/2652-108-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads