Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download

Overview

General Information

Sample Name:download
Analysis ID:580248
MD5:4842e206e4cfff2954901467ad54169e
SHA1:80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
SHA256:2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Found detection on Joe Sandbox Cloud Basic

Classification

  • System is start
  • WaaSMedicAgent.exe (PID: 7852 cmdline: C:\Windows\System32\WaaSMedicAgent.exe 355dc96661d9005cd453302c33619d95 IggQ2QzsV0Si9oeB.0.0.0 MD5: F9414EA5636ABD325993E280C181955F)
    • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • cleanup
No yara matches
No Sigma rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: downloadJoe Sandbox Cloud Basic: Detection: suspicious Score: 22Perma Link
Source: C:\Windows\System32\WaaSMedicAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B91D5831-B1BD-4608-8198-D72E155020F7}\InProcServer32
Source: C:\Windows\System32\WaaSMedicAgent.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
Source: classification engineClassification label: clean1.win@2/0@0/0
Source: unknownProcess created: C:\Windows\System32\WaaSMedicAgent.exe C:\Windows\System32\WaaSMedicAgent.exe 355dc96661d9005cd453302c33619d95 IggQ2QzsV0Si9oeB.0.0.0
Source: C:\Windows\System32\WaaSMedicAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\WaaSMedicAgent.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package041021~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
Source: C:\Windows\System32\WaaSMedicAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Process Injection
OS Credential Dumping12
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download0%VirustotalBrowse
download0%MetadefenderBrowse
download0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:580248
Start date:01.03.2022
Start time:00:38:46
Joe Sandbox Product:CloudBasic
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:download
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@2/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, nexusrules.officeapps.live.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
No created / dropped files found
File type:data
Entropy (8bit):1.9219280948873623
TrID:
    File name:download
    File size:5
    MD5:4842e206e4cfff2954901467ad54169e
    SHA1:80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
    SHA256:2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e
    SHA512:ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba
    SSDEEP:3:w:w
    File Content Preview:0....
    Icon Hash:74f0e4e4e4e4e0e4