Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
autorun.inf

Overview

General Information

Sample Name:autorun.inf
Analysis ID:612089
MD5:05b84abc08bda0f18e44fd5e526752f1
SHA1:7c12e7193fdf6c2f1d6305a5d7010ad1403dad81
SHA256:d409d2c95ffd569d2205797915057d6289048ffa3543014aaff39f5a3f72b7a9

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
May infect USB drives

Classification

Process Tree

  • System is w10x64
  • notepad.exe (PID: 6204 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\autorun.inf MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: notepad.exe, 00000001.00000002.538132856.0000022135195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\autorun.inf
Source: notepad.exe, 00000001.00000002.538132856.0000022135195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\NOTEPAD.EXEC:\Users\user\Desktop\autorun.infk
Source: notepad.exe, 00000001.00000002.537989942.0000022134EEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
Source: notepad.exe, 00000001.00000002.537989942.0000022134EEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infH
Source: notepad.exe, 00000001.00000002.537989942.0000022134EEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .autorun.inf
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\autorun.inf
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/Desktop/autorun.inffN8
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/Desktop/autorun.inf
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infH
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .autorun.inf
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/Desktop/autorun.inf-F&
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infWB
Source: notepad.exe, 00000001.00000002.538019996.0000022134EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
Source: notepad.exe, 00000001.00000002.537892584.0000022134EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\autorun.infC:\Windows\system32\NOTEPAD.EXEWinSta0\Default
Source: notepad.exe, 00000001.00000002.537892584.0000022134EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\autorun.inf
Source: notepad.exe, 00000001.00000002.537892584.0000022134EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\autorun.infQ
Source: autorun.infBinary or memory string: [autorun]
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winINF@1/0@0/0
Source: autorun.infJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\autorun.inf VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		Windows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
Peripheral Device Discovery		1
Replication Through Removable Media		Data from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory11
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
autorun.inf0%VirustotalBrowse
autorun.inf0%MetadefenderBrowse
autorun.inf0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:612089
Start date and time: 20/04/202215:01:512022-04-20 15:01:51 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:autorun.inf
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winINF@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .inf
  • Adjust boot time
  • Enable AMSI

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, query.prod.cms.rt.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ASCII text, with CRLF line terminators
Entropy (8bit):3.9559627259379075
TrID:
    File name:autorun.inf
    File size:47
    MD5:05b84abc08bda0f18e44fd5e526752f1
    SHA1:7c12e7193fdf6c2f1d6305a5d7010ad1403dad81
    SHA256:d409d2c95ffd569d2205797915057d6289048ffa3543014aaff39f5a3f72b7a9
    SHA512:7fc363cd2d3200baec07ff7c4f968e42c81c99ac9862798b11ac885337856e98739a72ffc1adb7a99e01ee38eca1b0201c1c3509e76d94e97aafcbda50ce868a
    SSDEEP:3:tPt1qVudVL4C7A2VL40:tPt1qwXL4CEyL40
    TLSH:
    File Content Preview:..[autorun]..Open=setup.exe..Icon=setup.exe....

    File Icon

    Icon Hash:74f0e4e0e2e5e2ec

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:1
    Start time:15:03:04
    Start date:20/04/2022
    Path:C:\Windows\System32\notepad.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\autorun.inf
    Imagebase:0x7ff601e30000
    File size:245760 bytes
    MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    No disassembly