Edit tour
Windows
Analysis Report
readme.txt
Overview
General Information
| Sample Name: | readme.txt |
| Analysis ID: | 800705 |
| MD5: | 99a47df2646f18b7f94f1d29c236c93a |
| SHA1: | a32553c3ad3abe7fe4431aea637c82539d9d8d3f |
| SHA256: | a7e78fdcad18f8f3be24d4fa4aee23cbf1a138497479469e4e1ad79640330add |
 | |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Queries the volume information (name, serial number etc) of a device
Classification
- System is w10x64
notepad.exe (PID: 5200 cmdline: "C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\De sktop\read me.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | String found in binary or memory: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 11 System Information Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
⊘No contacted IP infos
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 800705 |
| Start date and time: | 2023-02-07 18:27:05 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 4m 46s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | readme.txt |
| Detection: | CLEAN |
| Classification: | clean0.winTXT@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 4.897628741856098 |
| TrID: | |
| File name: | readme.txt |
| File size: | 17399 |
| MD5: | 99a47df2646f18b7f94f1d29c236c93a |
| SHA1: | a32553c3ad3abe7fe4431aea637c82539d9d8d3f |
| SHA256: | a7e78fdcad18f8f3be24d4fa4aee23cbf1a138497479469e4e1ad79640330add |
| SHA512: | e58dc4a5592eb9f80c6d9580d047b34e0e08e257896e4c28afccaca3e14457c3a611e7813928cd3f6ad159f9c204ada1b0126b917cdafb1c60aa6093589d22fc |
| SSDEEP: | 192:WmsnCqMzjGrGkgbbxgZ7eQ6POTTenmfOUj0ySRLSHFYHOf7WL8K6pt9WDaIGec2X:WuqGaeQ6PGTFvjv8Sl0AIG6ewt4NsAS |
| TLSH: | 1A72564BD1AB133211B302A356CD7BC3FB6941699786892474ADD31C2327B4AE3BB4DD |
| File Content Preview: | ......ProduKey v1.90..Copyright (c) 2005 - 2017 Nir Sofer..Web Site: http://www.nirsoft.net/utils/product_cd_key_viewer.html........Description..===========....ProduKey is a small utility that displays the ProductID and the CD-Key of..MS-Office, Windows, |
 | |
| Icon Hash: | 74f4e4e4e4e4e4e4 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeReport size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 18:28:04 |
| Start date: | 07/02/2023 |
| Path: | C:\Windows\System32\notepad.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b07c0000 |
| File size: | 245760 bytes |
| MD5 hash: | BB9A06B8F2DD9D24C77F389D7B2B58D2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
⊘No disassembly