ioc[.]one - OSINT Cyber Threat Intelligence Database

OneNote to Rule them All: eCrime Adversaries Adopt OneNote for Distribution

Tags

cmtmf-attack-pattern:	Data Manipulation Masquerading
country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Botnet - T1583.005 Botnet - T1584.005 Data Manipulation - T1641 Data Manipulation - T1565 Javascript - T1059.007 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Search Engines - T1593.002 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Tool - T1588.002 Masquerading - T1036 Mshta - T1170 Powershell - T1086 Rundll32 - T1085 Scripting - T1064 Spearphishing Attachment - T1193 Masquerading Scripting Spearphishing Attachment

Show in Graph

Common Information

Type	Value
UUID	3e7bc16e-3af9-4772-8e2c-da423ac3d6fb
Fingerprint	ac4b2a4b2ff68b41
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 17, 2023, 12:11 p.m.
Added to db	Oct. 24, 2023, 1:26 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline
Title	OneNote to Rule them All: eCrime Adversaries Adopt OneNote for Distribution
Detected Hints/Tags/Attributes	75/4/28

Source URLs

	Redirection	Url
Details	Source	https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/

URL Provider

Details	Provider	Source level domain
Details	crowdstrike.com	www.crowdstrike.com

Attributes

Details	Type	#Events	Value
Details	CVE	22	cve-2022-41091
Details	Domain	9	onedump.py
Details	Domain	372	wscript.shell
Details	Domain	707	google.com
Details	Domain	2	a9tcsbn.run
Details	Domain	207	learn.microsoft.com
Details	Domain	452	msrc.microsoft.com
Details	File	1018	rundll32.exe
Details	File	74	onenote.exe
Details	File	456	mshta.exe
Details	File	11	c:\windows\syswow64\mshta.exe
Details	File	2126	cmd.exe
Details	File	376	wscript.exe
Details	File	9	onedump.py
Details	File	93	curl.exe
Details	File	2	c:\\programdata\\ajywl.png
Details	File	2	80818.dat
Details	sha256	2	a28b68f86f05e14d671c1b43bbc662f8d502eb6955091c88af3750cfb4690685
Details	sha256	2	701f9ce1be9a1eccda5834f50dec1f441da779ddf7849cc1cc82bb14b6749cba
Details	IPv4	1	87.236.146.112
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	Url	39	https://google.com
Details	Url	1	http://87.236.146.112/80818.dat
Details	Url	2	https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905
Details	Url	4	https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Details	Url	3	https://msrc.microsoft.com/update-guide/en-us/vulnerability/cve-2022-41091
Details	Windows Registry Key	2	HKCU\SOFTWARE\cqptlz\ug9o\b8kvyy
Details	Windows Registry Key	2	HKCU\SOFTWARE\cqptlz\ug9o\b8kvy