Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download

Overview

General Information

Sample Name:download
Analysis ID:580248
MD5:4842e206e4cfff2954901467ad54169e
SHA1:80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
SHA256:2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Found detection on Joe Sandbox Cloud Basic

Classification

Process Tree

  • System is start
  • WaaSMedicAgent.exe (PID: 7852 cmdline: C:\Windows\System32\WaaSMedicAgent.exe 355dc96661d9005cd453302c33619d95 IggQ2QzsV0Si9oeB.0.0.0 MD5: F9414EA5636ABD325993E280C181955F)
    • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: downloadJoe Sandbox Cloud Basic: Detection: suspicious Score: 22Perma Link
Source: C:\Windows\System32\WaaSMedicAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B91D5831-B1BD-4608-8198-D72E155020F7}\InProcServer32
Source: C:\Windows\System32\WaaSMedicAgent.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
Source: classification engineClassification label: clean1.win@2/0@0/0
Source: unknownProcess created: C:\Windows\System32\WaaSMedicAgent.exe C:\Windows\System32\WaaSMedicAgent.exe 355dc96661d9005cd453302c33619d95 IggQ2QzsV0Si9oeB.0.0.0
Source: C:\Windows\System32\WaaSMedicAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\WaaSMedicAgent.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package041021~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
Source: C:\Windows\System32\WaaSMedicAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Process Injection		OS Credential Dumping12
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.