Windows
Analysis Report
cancellation.one
Overview
General Information
Detection
Score: | 0 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
- ONENOTE.EXE (PID: 3904 cmdline:
C:\Program Files\Mic rosoft Off ice\Root\O ffice16\ON ENOTE.EXE" "C:\Users \eyup\Desk top\cancel lation.one MD5: 40B3448599978A2E151089DB8E6527C7)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | File read: |
Source: | File created: |
Source: | Classification label: |
Source: | File created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Process information queried: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.113.194.132 | unknown | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
52.109.13.64 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 800683 |
Start date and time: | 2023-02-07 18:06:16 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample file name: | cancellation.one |
Detection: | CLEAN |
Classification: | clean0.winONE@1/7@0/22 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.190.159.2, 40.126.31.73, 20.190.159.71, 40.126.31.67, 20.190.159.68, 20.190.159.4, 20.190.159.0, 52.113.194.132, 52.109.13.64
- Excluded domains from analysis (whitelisted): ecs.office.com, prda.aadg.msidentity.com, login.live.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, nexusrules.officeapps.live.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, prod.nexusrules.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, ecs-office.s-0005.s-msedge.net
- Report size getting too big, too many NtQueryAttributesFile calls found.
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 212831 |
Entropy (8bit): | 5.123296198911506 |
Encrypted: | false |
SSDEEP: | |
MD5: | 5D1E1505BD5216805FC6CD14E0D90986 |
SHA1: | E7B0BC349EEA8222615174155407932A1E363DA0 |
SHA-256: | 69588BD4887C59630856C985606BEC0096DF05563DADE1A896A79D1DA32B1354 |
SHA-512: | 7DBDEFEA35977376A817304D04D51127940F5550E65AEF33FF40E631376CD08BF2CD8943E0404D1FF0B9AF3C9279848F53C126787DD99269F768659B9C00B6E2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 0.09216609452072291 |
Encrypted: | false |
SSDEEP: | |
MD5: | F138A66469C10D5761C6CBB36F2163C3 |
SHA1: | EEA136206474280549586923B7A4A3C6D5DB1E25 |
SHA-256: | C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6 |
SHA-512: | 9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.04462234229792196 |
Encrypted: | false |
SSDEEP: | |
MD5: | 37B77A21DAD54031033F0C6792E13D8D |
SHA1: | 0A098D41BD9787667FA072740A0BDEB0C4EC0CF9 |
SHA-256: | C678904AD71C2D5E28317FA64DDBF70192CFD4BC09E112FC208641A12FEC591E |
SHA-512: | 7DAFFC6719DAFEA41ECAA2DD6EDFC9DAA561CD4467F6CA22E164950AE93CAF7B2FF77A1EDF39DD13ACAA9ACCB5E141D99A13C9A48DD789B7C3A5AD56C910420F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 45352 |
Entropy (8bit): | 0.3942746620937069 |
Encrypted: | false |
SSDEEP: | |
MD5: | D5B376F5BB40F906C694232CAD2FFB96 |
SHA1: | A7238FCE5BB872B478727EEAE1FF265CA95331C6 |
SHA-256: | CB5BDB2696D5ACFA666836E2D76D5E883D99FA1F729CC86E2537219C40E01EBE |
SHA-512: | E689C34FE8BE5D6A3925793C19ED074BF7F9D9E0CE2426D1CDEC93A29B52DD1FA6E957C20365D4C18F393F2E858CEDCF0C44EB412AE5C866926AB97AC8F3C24A |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 72 |
Entropy (8bit): | 1.362740278498934 |
Encrypted: | false |
SSDEEP: | |
MD5: | 59C4731B2F05C4C3595AA802FBA3BF00 |
SHA1: | 3B80E7948EB946AE4864B0E031C8DB2E0BD59AD0 |
SHA-256: | B88CEFB4F768FDCD43F246FEB29F9E2FE2B497EAAD8B8F665F6D3B93975059AA |
SHA-512: | 96B7B578E6E1D39755AA7B66D518B10CC63C8C6815EC2F91A95A22AD987BE69F668E867EA7D5E684D99BEF40E37250C887CCE0B2EEF5EB2F3160E1552726E973 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\eyup\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms (copy)
Download File
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3999 |
Entropy (8bit): | 3.5305523742841753 |
Encrypted: | false |
SSDEEP: | |
MD5: | D967028041EBFB64D53B22EF03286C9E |
SHA1: | B45E8465EC9C2AEBD347D2881BD6505D587A3BC1 |
SHA-256: | 582BEE445DC0F2D78A5406FB2A37712CD79EDDDC2F39DD9920F791FA6C19C087 |
SHA-512: | A6779C40A0AFF744C6CB9DCE21157F6B9C74DF0AABE7D93D41F2668C616A5EE9561C5FD597ABF8749D5ED879392EE7FEFCCFD088E90BDF24FB99A3CA50834F92 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\eyup\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7PWLWPSW8J08303KX079.temp
Download File
Process: | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3999 |
Entropy (8bit): | 3.5305523742841753 |
Encrypted: | false |
SSDEEP: | |
MD5: | D967028041EBFB64D53B22EF03286C9E |
SHA1: | B45E8465EC9C2AEBD347D2881BD6505D587A3BC1 |
SHA-256: | 582BEE445DC0F2D78A5406FB2A37712CD79EDDDC2F39DD9920F791FA6C19C087 |
SHA-512: | A6779C40A0AFF744C6CB9DCE21157F6B9C74DF0AABE7D93D41F2668C616A5EE9561C5FD597ABF8749D5ED879392EE7FEFCCFD088E90BDF24FB99A3CA50834F92 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.753064661792213 |
TrID: |
|
File name: | cancellation.one |
File size: | 159160 |
MD5: | efae5db57b82eb563d9a5e85d51018b9 |
SHA1: | 2a46f65a5092bff8c5a88d84c78c10336129b6e5 |
SHA256: | 52d47370954612dbb7e9bdb740c8241c999415d62f2846b1c710dbf9e18df09a |
SHA512: | af86b779beea3dddab02f0b84eb6b17141bbc0ced79a36e119762a4fd7adc21e592b9c7c122e7739a1de3d635968a6f3936f10ce3ef4f8dfa01b96d3caf2d180 |
SSDEEP: | 1536:YevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7P2x0R6Zow:PgS2EJbyYeMYkKkyX3DWvLLATijRgow |
TLSH: | 93F3D026B181865ACB2A417909E76F747373BE029591271FDFB62E2C5DF0288CC9468F |
File Content Preview: | .R\{...M..Sx.)..5._....O....7...................?......I........*...*...*...*.......................................................................@...................h...............8f......0....m...............n.....I..&.....7........R..@..N.&..5...... |
Icon Hash: | d4dce0626664606c |