Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Download

Overview

General Information

Sample Name:Download
Analysis ID:621062
MD5:4842e206e4cfff2954901467ad54169e
SHA1:80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
SHA256:2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e
Errors
  • Corrupt sample or wrongly selected analyzer. Details: 80010108

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)

Classification

  • System is w10x64
  • OpenWith.exe (PID: 6192 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: unknown0.win@1/0@0/0
Source: DownloadJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
SourceDetectionScannerLabelLink
Download0%VirustotalBrowse
Download0%MetadefenderBrowse
Download0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:621062
Start date and time: 05/05/202216:23:052022-05-05 16:23:05 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Download
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown0.win@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to launch sample, stop analysis
  • Corrupt sample or wrongly selected analyzer. Details: 80010108
  • Excluded IPs from analysis (whitelisted): 20.82.210.154
  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
TimeTypeDescription
16:24:17API Interceptor1x Sleep call for process: OpenWith.exe modified
No context
No context
No context
No context
No context
No created / dropped files found
File type:data
Entropy (8bit):1.9219280948873623
TrID:
    File name:Download
    File size:5
    MD5:4842e206e4cfff2954901467ad54169e
    SHA1:80c9820ff2efe8aa3d361df7011ae6eee35ec4f0
    SHA256:2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e
    SHA512:ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba
    SSDEEP:3:w:w
    TLSH:
    File Content Preview:0....
    Icon Hash:74f0e4e4e4e4e0e4
    No network behavior found

    Click to jump to process

    Click to jump to process

    Target ID:0
    Start time:16:24:16
    Start date:05/05/2022
    Path:C:\Windows\System32\OpenWith.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
    Imagebase:0x7ff620710000
    File size:111120 bytes
    MD5 hash:D179D03728E95E040A889F760C1FC402
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    No disassembly