38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

13-11-2024 23:34

241113-3kmbta1eqc 10

13-11-2024 22:28

11-11-2024 05:34

11-11-2024 03:05

11-11-2024 03:00

08-11-2024 08:59

08-11-2024 08:55

Analysis

max time kernel
92s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3DMark 11 Advanced Edition.exe
Size

11.6MB
MD5

236d7524027dbce337c671906c9fe10b
SHA1

7d345aa201b50273176ae0ec7324739d882da32e
SHA256

400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
SHA512

e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
SSDEEP

196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

3DMark 11 Advanced Edition.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3DMark 11 Advanced Edition.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DMark 11 Advanced Edition.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

1500 ONENOTE.EXE
1500 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ONENOTE.EXE

pid process

1500 ONENOTE.EXE
1500 ONENOTE.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE
1500	ONENOTE.EXE

C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:400

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\Documents\OneNote Notebooks\Quick Notes.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-0-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-1-0x00007FFBCA5AD000-0x00007FFBCA5AE000-memory.dmp

Filesize
4KB

Download
memory/1500-3-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-2-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-5-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-4-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-8-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-7-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-6-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-10-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-9-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-11-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-12-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-13-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-14-0x00007FFB87DC0000-0x00007FFB87DD0000-memory.dmp

Filesize
64KB

Download
memory/1500-17-0x00007FFB87DC0000-0x00007FFB87DD0000-memory.dmp

Filesize
64KB

Download
memory/1500-16-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-15-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-18-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-19-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download
memory/1500-44-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-45-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-46-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-43-0x00007FFB8A590000-0x00007FFB8A5A0000-memory.dmp

Filesize
64KB

Download
memory/1500-47-0x00007FFBCA510000-0x00007FFBCA705000-memory.dmp

Filesize
2.0MB

Download