Analysis Report run.txt

Overview

General Information

Sample Name: run.txt
Analysis ID: 373375
MD5: a80859c1cd44daad1450948a1276bc0d
SHA1: 46396892b9cafb2e59b8f667ec7822d0435384bb
SHA256: b270e245132cf6624fc96642532a00c0a16681f59542220ad2c389d45865141f
Infos:

Most interesting Screenshot:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: run.txt Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: run.txt Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: run.txt Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: c:\CompleteStraight\theirTrain\LittleLevel\Blueguide\side.pdb source: notepad.exe, 00000000.00000002.1749343943.000001E4788E0000.00000004.00000001.sdmp
Source: Binary string: c:\CompleteStraight\theirTrain\LittleLevel\Blueguide\side.pdb source: run.txt

System Summary:

barindex
Uses 32bit PE files
Source: run.txt Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: run.txt Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal52.winTXT@1/0@0/0
Source: run.txt Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\notepad.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: run.txt Virustotal: Detection: 7%
Source: C:\Windows\System32\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 Jump to behavior
Source: run.txt Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\CompleteStraight\theirTrain\LittleLevel\Blueguide\side.pdb source: notepad.exe, 00000000.00000002.1749343943.000001E4788E0000.00000004.00000001.sdmp
Source: Binary string: c:\CompleteStraight\theirTrain\LittleLevel\Blueguide\side.pdb source: run.txt

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: run.txt Static PE information: real checksum: 0x5a1c1 should be: 0x59624

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\notepad.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: notepad.exe, 00000000.00000002.1740697745.000001E474D30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: notepad.exe, 00000000.00000002.1740697745.000001E474D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000000.00000002.1740697745.000001E474D30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: notepad.exe, 00000000.00000002.1740697745.000001E474D30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\Desktop\run.txt VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373375 Sample: run.txt Startdate: 22/03/2021 Architecture: WINDOWS Score: 52 7 Multi AV Scanner detection for submitted file 2->7 9 Machine Learning detection for sample 2->9 5 notepad.exe 2->5         started        process3
No contacted IP infos