Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20240416-703661.txt

Overview

General Information

Sample name:20240416-703661.txt
Analysis ID:1426999
MD5:6857980d3dbef74db1ce7f7520880e8f
SHA1:73fc54f77a2d27bbe2344f5fa6e869718c390cd5
SHA256:a5bfaca7bba4ed9e25bdb77b4ec61c796136b9de39580bb7736c3ac3ffa7b48c
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64_ra
  • notepad.exe (PID: 380 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\20240416-703661.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean0.winTXT@1/0@0/0
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: 20240416-703661.txtStatic file information: File size 3142991 > 1048576
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\20240416-703661.txt VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping11
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
20240416-703661.txt8%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1426999
Start date and time:2024-04-16 21:29:34 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:20240416-703661.txt
Detection:CLEAN
Classification:clean0.winTXT@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .txt

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: 20240416-703661.txt

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Unicode text, UTF-8 text, with very long lines (1379), with CRLF line terminators
Entropy (8bit):4.945485228086505
TrID:
    File name:20240416-703661.txt
    File size:3'142'991 bytes
    MD5:6857980d3dbef74db1ce7f7520880e8f
    SHA1:73fc54f77a2d27bbe2344f5fa6e869718c390cd5
    SHA256:a5bfaca7bba4ed9e25bdb77b4ec61c796136b9de39580bb7736c3ac3ffa7b48c
    SHA512:7455ab81d3b100abfabcd316a99ca29bce2df562f05df6219ac13f872b98eb8757b16a41795665e005b79f9e93717b9f8e4bad3d58882543db038768fee6aa96
    SSDEEP:49152:cKJoIaQL+/ajFUrA8WdvqevMWz3WRKj40kyyi2WlWSIbc:d
    TLSH:F7E553931DAD05862725337B8B4BEADD063FCC365BD12ECCC8C10AAC5C1B75B2954BA9
    File Content Preview:@%.............. %e%..................%c%.... ..%h%............%o%.............. ..% %....%o%.............. ....%f% ....%f%............%..C%.. ..........%:%....%\%........%\%......%W%...... .. ..%i%...... ..%n% ............%d%..................%o%......

    File Icon

    Icon Hash:72eaa2aaa2a2a292

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:21:30:03
    Start date:16/04/2024
    Path:C:\Windows\System32\notepad.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\20240416-703661.txt
    Imagebase:0x7ff79f750000
    File size:201'216 bytes
    MD5 hash:27F71B12CB585541885A31BE22F61C83
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    Disassembly

    No disassembly