Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Notepad2.ini

Overview

General Information

Sample Name:Notepad2.ini
Analysis ID:435318
MD5:a7b5e91557f8d3d23280ac818e9553d6
SHA1:3253dfc9aa901311ba13e9eddc7b6481c6cf5778
SHA256:61ad82669e0c260bda5472edca928785b72a0e9ad69d2d821db6bfe1e11df412
Infos:

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • notepad.exe (PID: 4556 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\Notepad2.ini MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean0.winINI@1/0@0/0
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: notepad.exe, 00000000.00000002.467344788.0000019055870000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: notepad.exe, 00000000.00000002.467344788.0000019055870000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000000.00000002.467344788.0000019055870000.00000002.00000001.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000000.00000002.467344788.0000019055870000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\Notepad2.ini VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Notepad2.ini0%VirustotalBrowse
Notepad2.ini0%MetadefenderBrowse
Notepad2.ini0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:435318
Start date:16.06.2021
Start time:12:11:06
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Notepad2.ini
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winINI@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .ini
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Entropy (8bit):3.6978963641969527
TrID:
  • Text - UTF-16 (LE) encoded (2002/1) 64.44%
  • MP3 audio (1001/1) 32.22%
  • Lumena CEL bitmap (63/63) 2.03%
  • Corel Photo Paint (41/41) 1.32%
File name:Notepad2.ini
File size:23130
MD5:a7b5e91557f8d3d23280ac818e9553d6
SHA1:3253dfc9aa901311ba13e9eddc7b6481c6cf5778
SHA256:61ad82669e0c260bda5472edca928785b72a0e9ad69d2d821db6bfe1e11df412
SHA512:c0e8f169d1af09db7ea9cc0834e4438e4e40aac1677610f16f6db5b21ea46d3668a0b1d1e147ee2b981310b3a2116ad2c2d41f2213246278339dce52a28b9f36
SSDEEP:384:ufooogxiica9TgqSSZ/LLC5FXRCpXOBWo:uAoogBcyeBWo
File Content Preview:..[.N.o.t.e.p.a.d.2.].....;.N.o.t.e.p.a.d.2...i.n.i.=.%.W.I.N.D.I.R.%.\.N.o.t.e.p.a.d.2.-.%.U.S.E.R.N.A.M.E.%...i.n.i.....;.N.o.t.e.p.a.d.2...i.n.i.=.%.A.P.P.D.A.T.A.%.\.N.o.t.e.p.a.d.2...i.n.i.....[.S.e.t.t.i.n.g.s.].....S.a.v.e.S.e.t.t.i.n.g.s.=.....S.a

File Icon

Icon Hash:74f0e4e0e2e5e2ec

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: notepad.exe PID: 4556 Parent PID: 5700

General

Start time:12:11:52
Start date:16/06/2021
Path:C:\Windows\System32\notepad.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\Notepad2.ini
Imagebase:0x7ff7977d0000
File size:245760 bytes
MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >