Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cancellation.one

Overview

General Information

Sample Name:	cancellation.one
Analysis ID:	800683
MD5:	efae5db57b82eb563d9a5e85d51018b9
SHA1:	2a46f65a5092bff8c5a88d84c78c10336129b6e5
SHA256:	52d47370954612dbb7e9bdb740c8241c999415d62f2846b1c710dbf9e18df09a

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

×

Process Tree

System is w10x64_ra

ONENOTE.EXE (PID: 3904 cmdline: C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\eyup\Desktop\cancellation.one MD5: 40B3448599978A2E151089DB8E6527C7)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File read: C:\Program Files\desktop.ini

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\eyup\AppData\Local\Temp\{03CC3D92-E54C-467E-9B0B-62F4355CE739} - OProcSessId.dat

Source: classification engine

Classification label: clean0.winONE@1/7@0/22

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\eyup\Documents\{655696E5-AF6E-4A78-A631-7119D5842EE9}

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process information queried: ProcessInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.13.64	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800683
Start date and time:	2023-02-07 18:06:16 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	cancellation.one
Detection:	CLEAN
Classification:	clean0.winONE@1/7@0/22
Cookbook Comments:	Found application associated with file extension: .one

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.190.159.2, 40.126.31.73, 20.190.159.71, 40.126.31.67, 20.190.159.68, 20.190.159.4, 20.190.159.0, 52.113.194.132, 52.109.13.64
Excluded domains from analysis (whitelisted): ecs.office.com, prda.aadg.msidentity.com, login.live.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, nexusrules.officeapps.live.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, prod.nexusrules.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, ecs-office.s-0005.s-msedge.net
Report size getting too big, too many NtQueryAttributesFile calls found.

Created / dropped Files

C:\Users\eyup\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	212831
Entropy (8bit):	5.123296198911506
Encrypted:	false
SSDEEP:
MD5:	5D1E1505BD5216805FC6CD14E0D90986
SHA1:	E7B0BC349EEA8222615174155407932A1E363DA0
SHA-256:	69588BD4887C59630856C985606BEC0096DF05563DADE1A896A79D1DA32B1354
SHA-512:	7DBDEFEA35977376A817304D04D51127940F5550E65AEF33FF40E631376CD08BF2CD8943E0404D1FF0B9AF3C9279848F53C126787DD99269F768659B9C00B6E2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\eyup\AppData\Local\Microsoft\Office\OTele\onenote.exe.db

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\eyup\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04462234229792196
Encrypted:	false
SSDEEP:
MD5:	37B77A21DAD54031033F0C6792E13D8D
SHA1:	0A098D41BD9787667FA072740A0BDEB0C4EC0CF9
SHA-256:	C678904AD71C2D5E28317FA64DDBF70192CFD4BC09E112FC208641A12FEC591E
SHA-512:	7DAFFC6719DAFEA41ECAA2DD6EDFC9DAA561CD4467F6CA22E164950AE93CAF7B2FF77A1EDF39DD13ACAA9ACCB5E141D99A13C9A48DD789B7C3A5AD56C910420F
Malicious:	false
Reputation:	low
Preview:	..-.....................eW.k.5..s..{.c.X..e...A...-.....................eW.k.5..s..{.c.X..e...A.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\eyup\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	45352
Entropy (8bit):	0.3942746620937069
Encrypted:	false
SSDEEP:
MD5:	D5B376F5BB40F906C694232CAD2FFB96
SHA1:	A7238FCE5BB872B478727EEAE1FF265CA95331C6
SHA-256:	CB5BDB2696D5ACFA666836E2D76D5E883D99FA1F729CC86E2537219C40E01EBE
SHA-512:	E689C34FE8BE5D6A3925793C19ED074BF7F9D9E0CE2426D1CDEC93A29B52DD1FA6E957C20365D4C18F393F2E858CEDCF0C44EB412AE5C866926AB97AC8F3C24A
Malicious:	false
Reputation:	low
Preview:	7....-..........s..{.c.XP.!.`~].........s..{.c.X..).w&.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\eyup\AppData\Local\Microsoft\OneNote\16.0\cache\header

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 1020487318, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	1.362740278498934
Encrypted:	false
SSDEEP:
MD5:	59C4731B2F05C4C3595AA802FBA3BF00
SHA1:	3B80E7948EB946AE4864B0E031C8DB2E0BD59AD0
SHA-256:	B88CEFB4F768FDCD43F246FEB29F9E2FE2B497EAAD8B8F665F6D3B93975059AA
SHA-512:	96B7B578E6E1D39755AA7B66D518B10CC63C8C6815EC2F91A95A22AD987BE69F668E867EA7D5E684D99BEF40E37250C887CCE0B2EEF5EB2F3160E1552726E973
Malicious:	false
Reputation:	low
Preview:	.....f.<................................................................

C:\Users\eyup\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms (copy)

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3999
Entropy (8bit):	3.5305523742841753
Encrypted:	false
SSDEEP:
MD5:	D967028041EBFB64D53B22EF03286C9E
SHA1:	B45E8465EC9C2AEBD347D2881BD6505D587A3BC1
SHA-256:	582BEE445DC0F2D78A5406FB2A37712CD79EDDDC2F39DD9920F791FA6C19C087
SHA-512:	A6779C40A0AFF744C6CB9DCE21157F6B9C74DF0AABE7D93D41F2668C616A5EE9561C5FD597ABF8749D5ED879392EE7FEFCCFD088E90BDF24FB99A3CA50834F92
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.@.. ....D.F.S....Y..;...D.F.S..@......................./....P.O. .:i.....+00.../C:\.....................1......UDd..PROGRA~1..t......sN.&GV.....B...............J......pa.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1......R....MICROS~2..R......R..GV...........................@E$.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1......R....root..:......R..GV..............................r.o.o.t.....Z.1......R....Office16..B......R..GV.....t......................c?.O.f.f.i.c.e.1.6.....b.2.@....R\|. .ONENOTE.EXE.H......R\|.GV.....'......................a^.O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........;S.......C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Root\Office16

C:\Users\eyup\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7PWLWPSW8J08303KX079.temp

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3999
Entropy (8bit):	3.5305523742841753
Encrypted:	false
SSDEEP:
MD5:	D967028041EBFB64D53B22EF03286C9E
SHA1:	B45E8465EC9C2AEBD347D2881BD6505D587A3BC1
SHA-256:	582BEE445DC0F2D78A5406FB2A37712CD79EDDDC2F39DD9920F791FA6C19C087
SHA-512:	A6779C40A0AFF744C6CB9DCE21157F6B9C74DF0AABE7D93D41F2668C616A5EE9561C5FD597ABF8749D5ED879392EE7FEFCCFD088E90BDF24FB99A3CA50834F92
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.@.. ....D.F.S....Y..;...D.F.S..@......................./....P.O. .:i.....+00.../C:\.....................1......UDd..PROGRA~1..t......sN.&GV.....B...............J......pa.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1......R....MICROS~2..R......R..GV...........................@E$.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1......R....root..:......R..GV..............................r.o.o.t.....Z.1......R....Office16..B......R..GV.....t......................c?.O.f.f.i.c.e.1.6.....b.2.@....R\|. .ONENOTE.EXE.H......R\|.GV.....'......................a^.O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........;S.......C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Root\Office16

Static File Info

General

File type:	data
Entropy (8bit):	5.753064661792213
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	cancellation.one
File size:	159160
MD5:	efae5db57b82eb563d9a5e85d51018b9
SHA1:	2a46f65a5092bff8c5a88d84c78c10336129b6e5
SHA256:	52d47370954612dbb7e9bdb740c8241c999415d62f2846b1c710dbf9e18df09a
SHA512:	af86b779beea3dddab02f0b84eb6b17141bbc0ced79a36e119762a4fd7adc21e592b9c7c122e7739a1de3d635968a6f3936f10ce3ef4f8dfa01b96d3caf2d180
SSDEEP:	1536:YevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7P2x0R6Zow:PgS2EJbyYeMYkKkyX3DWvLLATijRgow
TLSH:	93F3D026B181865ACB2A417909E76F747373BE029591271FDFB62E2C5DF0288CC9468F
File Content Preview:	.R\{...M..Sx.)..5._....O....7...................?......I........................................................................................@...................h...............8f......0....m...............n.....I..&.....7........R..@..N.&..5......

File Icon


Icon Hash:	d4dce0626664606c