Edit tour

Windows Analysis Report
Cancellation_418406_Dec23.pdf

Overview

General Information

Sample Name:	Cancellation_418406_Dec23.pdf
Analysis ID:	778232
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
Infos:

Detection

Qbot Downloader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found potential malicious PDF (bad image similarity)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Qbot Downloader

Clickable URLs found in PDF pointing to potentially malicious files

Creates a DirectInput object (often for capturing keystrokes)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

AcroRd32.exe (PID: 2156 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)

RdrCEF.exe (PID: 5448 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)

chrome.exe (PID: 7152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 2364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

unarchiver.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 5296 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Qbot Downloader

{"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Cancellation_418406_Dec23.pdf	JoeSecurity_QbotDownloader	Yara detected Qbot Downloader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Virustotal: Detection: 15%

Perma Link

Source: Cancellation_418406_Dec23.pdf

Malware Configuration Extractor: Qbot Downloader {"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Spreading

Yara detected Qbot Downloader

Source: Yara match

File source: Cancellation_418406_Dec23.pdf, type: SAMPLE

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Jan 2023 08:03:45 GMTServer: ApacheX-Powered-By: PHP/8.1.13Connection: keep-alive, Keep-AliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="Cancellation_367461_Dec23.zip"Upgrade: h2,h2cConnection: UpgradeContent-Length: 801520Vary: Accept-EncodingKeep-Alive: timeout=5Content-Type: application/zipData Raw: 50 4b 03 04 14 00 01 00 08 00 02 9c 97 55 e0 d4 f8 ae 42 3a 0c 00 00 d0 6a 06 14 00 00 00 43 61 6e 63 65 6c 6c 61 74 69 6f 6e 23 4a 35 38 2e 69 73 6f 79 61 b4 0c 99 42 96 64 6f 83 91 a6 87 9a e5 3b a7 9b fa 5c ce db 83 0b 04 d9 b6 6c 6b c0 29 f7 77 06 99 5d 89 d8 25 f7 83 d0 e7 99 b5 61 ec 80 11 0d 3f ab ff b3 1e 8a da 89 07 00 17 6a ec e6 29 66 86 ed bf 05 74 c7 c4 7c 06 90 e2 b0 2d 93 97 cf c9 70 ab d3 95 5b b2 ed 34 37 cb cb 9b c8 3a fb be 6c 97 18 a2 80 38 1b 2f 9a 5a 49 9d 4c 08 51 38 eb d6 d9 76 b8 dd 45 e0 a7 da c5 f3 68 1d 93 e1 36 73 17 47 c3 84 d1 50 b0 20 e0 0f 2f 1c ba ad 94 8c d5 01 a0 44 c8 57 38 0e b7 40 e6 67 9d e3 e4 b7 ef 2d a6 da d8 4d ff be 7d a9 a8 68 55 a3 aa 40 fb 32 c8 a1 2b 79 c1 e4 f5 44 28 a9 e8 6d 90 d7 2c f8 a6 a7 d3 f7 4d cd 5c 12 87 6b 1c a6 df da 6c f4 db 85 6c 02 12 db 8a f5 b8 f3 5a 1e 09 34 9b f1 09 d4 31 61 ec dd 98 ce d0 fe 90 73 1d 8f ff 0f 0a 49 41 25 be 0a 11 13 3c 09 76 9f c6 c9 0c b8 42 55 a2 ef 6e 61 a6 e8 c0 f4 02 5a 7e fd c2 2f 48 3e 80 50 95 ce 2e f5 5a 93 67 db cd b2 29 e5 bb 9d 0e 62 e2 2c 31 ec 3a 10 92 44 3f 90 c3 4d 8d 78 1d 46 c1 7e f6 97 5a 08 bd 77 25 72 27 e9 80 65 ae d6 7a 71 36 ea b4 32 04 2e c4 39 00 76 fb 72 d4 40 ac 61 a6 37 85 ca f3 1f 0b a9 1c 0b 68 b6 46 50 87 c1 02 a6 5b 2c 19 53 aa 37 4e c9 91 6a 4f fa 5a 49 aa 28 55 28 fd 13 fb 29 bf 51 74 1d 23 18 cd 17 74 20 81 cf a2 6e 45 2e e2 71 c9 01 18 59 6f e6 8c 3c 09 1d 71 f9 92 87 c1 71 d9 40 fd e3 16 28 8a 86 ff 37 d4 e6 37 21 18 c0 7a 7f 44 37 e6 8d 17 12 6b 93 fb a5 8d 64 de 6d a5 1b fd 57 d9 4e 7d e0 56 b6 c1 76 c0 30 44 73 e9 a2 7f 4c 05 21 0a 60 55 17 f4 b7 da 7d ef 80 22 eb f8 df f2 e7 c0 f3 e9 96 5c 9a 67 ea 0a 27 b1 9a 56 9e 23 db 96 6d 10 a6 9b 6b e5 a2 e2 59 36 2b 26 9e 1b 69 9c d3 38 14 c6 36 f0 da 48 f3 79 40 c9 e2 7f dd 9d bf 3a 3a 05 47 80 07 34 e3 74 1e e4 0f 97 7b ae 19 c5 d9 68 9b df 3b 64 53 bf 69 af 0c bf 9c 9c 6a 36 18 67 ab 81 08 7b 42 6c 0d cd e1 62 60 11 a4 a7 21 23 a0 4f 6c 40 f5 7b 11 1d f0 76 5f 7a 8a 5b 2e 65 7f 21 1e 86 b6 19 54 57 b5 41 94 5b 90 8f 16 50 60 ae 7f a4 92 dc 2b a4 67 ad 6b 9b f2 05 9a 3a 94 ae 2a 89 78 68 9f 8f 8b 31 27 07 e4 b4 13 7c 80 cb e7 c5 e5 bc 7e 3a d7 60 11 c2 bb 12 ee 5f ae 4e 7c c3 36 be 22 ef 58 5e 4e 59 bc 23 d8 61 55 c7 14 7b 70 a5 9a 09 2f 7a 5a 22 0a 39 e9 6f 02 5c 47 49 f9 11 04 ee 58 0a 0c 64 04 62 b0 2a 4b fe 40 3b e6 05 50 d4 d2 46 2f 6a 7b c3 7d 4e 3f c6 78 fd 9d e9 5c 21 0e bb 7c 04 d4 81 ae 3e 1b 54 21 f5 63 74 70 ea 32 40 2d cb f0 cc 61 55 09 d1 aa 35 53 1a a1 6e 94 69 e8 c9 0f e8 15 17 07 f8 16 aa 7d 01 ad bb 78 51 d2 f8 0d 0d 25 d2

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: Cancellation_418406_Dec23.pdf

String found in binary or memory: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o

Source: unknown

DNS traffic detected: queries for: agapeministriesinternational.church

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/Cancellation_367461_Dec23.zip HTTP/1.1Host: agapeministriesinternational.churchConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unarchiver.exe, 0000000F.00000002.606287284.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Found potential malicious PDF (bad image similarity)

Source: Cancellation_418406_Dec23.pdf

Static PDF information: Image stream: 6

Clickable URLs found in PDF pointing to potentially malicious files

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\Fonts\ariblk.ttf

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx

Jump to behavior

Source: classification engine

Classification label: mal76.spre.winPDF@38/57@5/7

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JS count = 0
Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Cancellation_418406_Dec23.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep count: 119 > 30
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep time: -59500s >= -30000s

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 15_2_00F0B1D6 GetSystemInfo,

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Spearphishing Link	Windows Management Instrumentation	Path Interception	11 Process Injection	3 Masquerading	1 Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
agapeministriesinternational.church	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	100%	Avira URL Cloud	malware
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)	0%	Avira URL Cloud	safe
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
agapeministriesinternational.church	50.62.149.105	true	true	3%, Virustotal, Browse	unknown
accounts.google.com	142.251.209.13	true	false		high
www.google.com	142.250.184.36	true	false		high
clients.l.google.com	142.250.184.78	true	false		high
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)	Cancellation_418406_Dec23.pdf	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
50.62.149.105	agapeministriesinternational.church	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
142.250.184.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.209.13	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	778232
Start date and time:	2023-01-05 09:01:23 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Cancellation_418406_Dec23.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spre.winPDF@38/57@5/7
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document Find and activate links Security Warning found Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 2.21.22.155, 2.21.22.179, 23.211.4.250, 142.250.184.35, 34.104.35.123, 142.250.184.67
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, fs.microsoft.com, armmf.adobe.com, edgedl.me.gvt1.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, a122.dscd.akamai.net, update.googleapis.com, clientservices.googleapis.com, acroipm2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:21	API Interceptor	1x Sleep call for process: RdrCEF.exe modified

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.621995976318026
Encrypted:	false
SSDEEP:	3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVlfl/1lQRktyrVNBiTFJrqzOJkvP5m1:men9YOFLvEWdM9QKftvPtYvi7Z+P41
MD5:	05A8ED13DB8ACF9593227A84C5C6FF47
SHA1:	6414B2E11A5C6EDA3AEDDF90585DC7AB6AA8817E
SHA-256:	6AD07D48B525B5EBE2DE9B7C4A074C01C366CCDD01080F8F65C378B8089C4227
SHA-512:	A392B1984BB041DB20B9AC85C423966E8D67F40D5774D82B9313626CB5F428454BD88C77D5CC82CC6DE18DC7EDB1BE95C6DAF387C92F19AB2AA799C613B4AEE4
Malicious:	false
Reputation:	low
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..mQ..P/....."#.D5.3....A.A..Eo......KX..............d.{v.^.G...d.W.:...P..k%..A..Eo..................

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	5.0863149791147855
Encrypted:	false
SSDEEP:	48:zFJbGYGbYGYGpiGbfGYGp3FkGbeG0FkGQGNGYGYGmHGYGNGYGmbP1+EEEEEEEEEY:x8MjKU9Q
MD5:	8A8E8565CCAA246BA9B71598B7038E38
SHA1:	27578ACD6D50E313A3BA1F5DB05EF479F0F9CF8B
SHA-256:	C783A44B81D1DEE63B86D0B1C036889E1DF5686A911785BBB9AC5F35AA32AFEC
SHA-512:	E7DBC97A56628ED6CA7F5B456AC31C1BC6C79DBF8ECF1B1D3E375F3C197FE2B4F8CC6476B2453A4D9551186EAAF83395A4E628FFA171130E724A0E4A79AF20CC
Malicious:	false
Preview:	01/05/2023 9:03 AM: Unpack: C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: Scanning the drive for archives:..01/05/2023 9:03 AM: Received from standard out: 1 file, 801520 bytes (783 KiB)..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Received from standard out: --..01/05/2023 9:03 AM: Received from standard out: Path = C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Received from standard out: Type = zip..01/05/2023 9:03 AM: Received from standard out: Physical Size

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	801520
Entropy (8bit):	7.999770193882168
Encrypted:	true
SSDEEP:	24576:wlDW7aQ9CEKLN0rvLPFMDcebEvbm37vcYep11QJ/6dP/z:MDWtKZ0+DczS3TcYefQJ/uP/z
MD5:	26097A602D65D1CC7E47D2A5E5D32895
SHA1:	78868EA9BD5CA1E5B591303C964C74CAC18F76EC
SHA-256:	9D4DD3EFB6149DA52E080EC9E91F1E64C5D0656F488FA78DCD6CE638EE75BA0B
SHA-512:	6BFD8ECCB1C7CE62B06F54728781ECC100389E129A98D831F3FE20DD79BD65CDDE2D91764993624161F906936672A0839790FEBAF86019B8A10BDC26D83D2DF1
Malicious:	false
Preview:	PK...........U....B:....j.....Cancellation#J58.isoya...B.do......;...\.....lk.).w..]..%....a...?.........j..)f...t..\|...-....p..[..47...:..l....8./.ZI.L.Q8...v..E....h...6s.G..P. ../........D.W8..@.g....-...M..}..hU..@.2.+y...D(..m..,.....M.\..k....l..l......Z..4....1a......s.....IA%....<.v.....BU..na.....Z~../H>.P....Z.g..)..b.,1.:..D?..M.x.F.~..Z..w%r'.e..zq6.2...9.v.r.@.a.7........h.FP....[,.S.7N.jO.ZI.(U(...).Qt.#...t ..nE..q...Yo.<..q....q.@...(...7..7!..z.D7...k....d.m...W.N}.V..v.0Ds..L.!.`U....}."........\.g..'..V.#.m...k..Y6+&..i..8..6..H.y@.....::.G..4.t....{....h..;dS.i.....j6.g...{Bl...b`...!#.Ol@.{...v_z.[.e.!....TW.A.[...P`.....+.g.k....:...xh...1'...\|.....~:.`...._.N\|.6.".X^NY.#.aU..{p.../zZ".9.o.\GI....X..d.b.K.@;..P..F/j{.}N?.x...\!..\|...>.T!.ctp.2@-...aU..5S..n.i..........}...xQ....%.x....i...1...~...!....>.GU.p....X.....w..%..../*......Z.;.wI...Ii.3...?Tddl'.D..uf.Io..@....7x...R.....).....U!...n..1.x#I7.M....]......N.&..

File type:	PDF document, version 1.3, 1 pages
Entropy (8bit):	7.795798037764297
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	Cancellation_418406_Dec23.pdf
File size:	186639
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
SHA512:	02fef8a38f843cec18a6ca0e80cbb1ee23659534bab963d7ef0e8b522c2de1787666bfa4970c4d34d701ec4f652ba8bc583adca517fe5679e9d985bd2a3da59c
SSDEEP:	3072:fQcfk8aPgtSyiVLFkckuQMPhB20K8HR9hYDdfddlRCFwfkFPWN50kNSFHFUmV8N1:W8nwhFkZuvPDiYqdfddlVjbr03UmVruv
TLSH:	3504E0CCB13B76BFE8B77BB3A562835D374F6525732E6687088992A4C301F42D4510AE
File Content Preview:	%PDF-1.3.3 0 obj.<</Type /Page./Parent 1 0 R./Resources 2 0 R./Annots [5 0 R ]./Contents 4 0 R>>.endobj.4 0 obj.<</Filter /FlateDecode /Length 59>>.stream.x.3R..2.35W(.*T.01.32U0.BSKS=S C..@A.@..H!9WA..P.%_!... 4...endstream.endobj.5 0 obj.<</Type /Annot

General
Header:	%PDF-1.3
Total Entropy:	7.795798
Total Bytes:	186639
Stream Entropy:	7.794817
Stream Bytes:	185459
Entropy outside Streams:	5.173523
Bytes outside Streams:	1180
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	8
endobj	8
stream	2
endstream	2
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 09:03:45.665621042 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:45.666202068 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.666264057 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.666347027 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.667125940 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:45.667155981 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:45.667221069 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:45.681859016 CET	49702	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:45.682480097 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.682548046 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.683199883 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:45.683228016 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:45.806641102 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:45.813993931 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:45.814045906 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:45.815979004 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:45.816091061 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:45.823188066 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:45.823334932 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:45.823719978 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:45.839335918 CET	80	49702	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:45.839426994 CET	49702	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:45.854161978 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.854439020 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.854484081 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.855062008 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.855139017 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.855910063 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:45.855979919 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:45.980948925 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:46.144690037 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:46.144759893 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.144988060 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:46.145015955 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.145217896 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.145606995 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:46.145653963 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.145747900 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:46.145764112 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.146033049 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.192888975 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.193018913 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:46.193053007 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.193342924 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.193413019 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:46.195028067 CET	49699	443	192.168.2.3	142.250.184.78
Jan 5, 2023 09:03:46.195064068 CET	443	49699	142.250.184.78	192.168.2.3
Jan 5, 2023 09:03:46.214713097 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.214826107 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:46.214858055 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.215186119 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:46.215260029 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:46.216869116 CET	49701	443	192.168.2.3	142.251.209.13
Jan 5, 2023 09:03:46.216905117 CET	443	49701	142.251.209.13	192.168.2.3
Jan 5, 2023 09:03:48.063569069 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063642025 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063687086 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063714027 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063734055 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.063755989 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063781023 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063797951 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.063807964 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063849926 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063875914 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063901901 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.063932896 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.063934088 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.063934088 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221364021 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221400023 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221451044 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221481085 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221508026 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221533060 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221560955 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221589088 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221616983 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221647024 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221652985 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221652985 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221652985 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221652985 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221652985 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221673965 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221702099 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221729994 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221733093 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221759081 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.221882105 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.221882105 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.379358053 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379399061 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379429102 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379458904 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379489899 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379523039 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379523039 CET	49698	80	192.168.2.3	50.62.149.105
Jan 5, 2023 09:03:48.379549980 CET	80	49698	50.62.149.105	192.168.2.3
Jan 5, 2023 09:03:48.379580975 CET	49698	80	192.168.2.3	50.62.149.105

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 09:03:31.990242004 CET	57840	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:32.011425972 CET	53	57840	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.622262001 CET	60625	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.626640081 CET	49302	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.626899958 CET	53975	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.643832922 CET	53	60625	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.645402908 CET	53	53975	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.652929068 CET	53	49302	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:48.831399918 CET	60582	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:48.851125956 CET	53	60582	8.8.8.8	192.168.2.3

Target ID:	0
Start time:	09:02:15
Start date:	05/01/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Imagebase:	0xc40000
File size:	2571312 bytes
MD5 hash:	B969CF0C7B2C443A99034881E8C8740A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	11
Start time:	09:03:42
Start date:	05/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	14
Start time:	09:03:43
Start date:	05/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	15
Start time:	09:03:50
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Imagebase:	0x640000
File size:	12800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	16
Start time:	09:03:51
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Imagebase:	0x1220000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cancellation_418406_Dec23.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot Downloader

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0

Windows Analysis Report
Cancellation_418406_Dec23.pdf

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre