Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt

Overview

General Information

Sample Name:Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt
Analysis ID:753411
MD5:32c514a2cccc4dc45ead40c3f876d7e7
SHA1:2a626cb812d5add14991989397242070c6584f05
SHA256:4641d4821a3be256f99bfb07cbfc9b2f77670b91af83fac011a55f2c910a9ecc

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • notepad.exe (PID: 2156 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: clean0.winTXT@1/0@0/0
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt VolumeInformation
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:753411
Start date and time:2022-11-24 19:18:55 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 4s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winTXT@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .txt
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:ASCII text, with CRLF line terminators
Entropy (8bit):5.503841975330305
TrID:
    File name:Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt
    File size:857
    MD5:32c514a2cccc4dc45ead40c3f876d7e7
    SHA1:2a626cb812d5add14991989397242070c6584f05
    SHA256:4641d4821a3be256f99bfb07cbfc9b2f77670b91af83fac011a55f2c910a9ecc
    SHA512:747477d18a9c5399b03d5a56fd8e9a8efcd6b9e3c7b63db47846775f9471f2fe5f667d67553df29ea7920ad22820dfdd884cc788a3bec581bf1599eb37dfa0f2
    SSDEEP:12:DxPy+ifsMfsoWI6/SuWmyo1zI6/SuWQCiahiE5poT+Ay5yPq5q:I+iEWJW3SuWm7V3SuWN3oiAeyiQ
    TLSH:F3111230635E3477A03FE7E137470F60BD51E91000593DCCAED4118A6252DE663AF0B8
    File Content Preview:Information Regarding Attachment 'Payment Advice for Imax November 23, 2022, 1:46:16 PM'....[11/23/2022 16:58:12]....---Reported Message Metadata---....Reported Message Id: $AQMkADBiMzBkZABhNC1hNmE4LTQ1ZmQtYTJhOS0wOTIyATczZjFmZTAARgAABP9Y-43LEkeDMyJV4wOr6
    Icon Hash:74f4e4e4e4e4e4e4
    No network behavior found
    No statistics
    Target ID:0
    Start time:19:19:48
    Start date:24/11/2022
    Path:C:\Windows\System32\notepad.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\Payment Advice for Imax November 23, 2022, 1%3A46%3A16 PM.txt
    Imagebase:0x7ff7296f0000
    File size:245760 bytes
    MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    No disassembly