Edit tour

Windows Analysis Report
hdI44WsQzp

Overview

General Information

Sample name:	hdI44WsQzp renamed because original name is a hash value
Original sample name:	ba8ab5a0280b953aa97435ff8946cbcbb2755a27
Analysis ID:	1544568
MD5:	81051bcc2cf1bedf378224b0a93e2877
SHA1:	ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256:	7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Monitors registry run keys for changes

Contains capabilities to detect virtual machines

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64_ra

Taskmgr.exe (PID: 3816 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

Taskmgr.exe (PID: 7012 cmdline: "C:\Windows\system32\taskmgr.exe" /4 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: classification engine

Classification label: clean21.win@2/1@0/0

Source: C:\Windows\System32\Taskmgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b

Source: C:\Windows\System32\Taskmgr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4

Source: C:\Windows\System32\Taskmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

Window found: window name: SysTabControl32

Jump to behavior

Boot Survival

Monitors registry run keys for changes

Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\Taskmgr.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorui
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rkflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V Heartbeat ServiceD
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Volume Shadow Copy Requestord
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorb
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipesZ
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device0
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorui
Source: Taskmgr.exe, 0000000B.00000003.1876737109.000001B5DAA5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (100 ns)3184Compacted Container Fill Ratio (%)3188Compactions failed due to ineligible container3190Compactions failed due to max fragmentation3192Container Move Retry Count3194Container moves failed due to ineligible container3196Compaction Failure Count3198Container Move Failure Count3200Dirty metadata pages3202Dirty table list entries3204Delete Queue entries9698Storage Management WSP Spaces Runtime9700Runtime Count 4ms9702Runtime Count 16ms9704Runtime Count 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec9620Stalls (Send Queue)/sec9622Stalls (RDMA Registrations)/sec9624Sends/sec9626Remote Invalidations/sec9628Memory Regions9630Bytes Received/sec9632Bytes Sent/sec9634Bytes RDMA Read/sec9636Bytes RDMA Written/sec9638Stalls (RDMA Read)/sec9640Receives/sec9642RDMA Registrations/sec96
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root PartitionF
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processorb
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service:
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes C
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorlr
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000003.1879476729.000001B5DA62A000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid PartitionlHO
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000003.1879476729.000001B5DA62A000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jxtdneswtnmcldt Bus
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000B.00000003.1876714557.000001B5DAABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000B.00000003.1876737109.000001B5DAA5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: on the server3336Errors - Receive errors on the server3338In - Total packets received3340Out - Total packets sent3342Sessions - Total sessions3230Teredo Server3232In - Teredo Server Total Packets: Success + Error3234In - Teredo Server Success Packets: Total3236In - Teredo Server Success Packets: Bubbles3238In - Teredo Server Success Packets: Echo3240In - Teredo Server Success Packets: RS-Primary3242In - Teredo Server Success Packets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes wr
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HHyper-V Time Synchronization Service$
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}00.png88
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jxtdneswtnmcldt Bus Pipes
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesd
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root PartitionX
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition}
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZHyper-V Remote Desktop Virtualization ServiceU
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Hyper-V Guest Shutdown ServiceI

Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hdI44WsQzp	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544568
Start date and time:	2024-10-29 15:31:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hdI44WsQzp renamed because original name is a hash value
Original Sample Name:	ba8ab5a0280b953aa97435ff8946cbcbb2755a27
Detection:	CLEAN
Classification:	clean21.win@2/1@0/0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hdI44WsQzp

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Download File

Process:	C:\Windows\System32\Taskmgr.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:R:R
MD5:	F49655F856ACB8884CC0ACE29216F511
SHA1:	CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
SHA-256:	7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
SHA-512:	599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	EERF

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	1.0
TrID:
File name:	hdI44WsQzp
File size:	2 bytes
MD5:	81051bcc2cf1bedf378224b0a93e2877
SHA1:	ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256:	7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512:	1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
SSDEEP:	3:y:y
TLSH:
File Content Preview:	..

File Icon


Icon Hash:	72e2a2a292a2a2b2

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Taskmgr.exePID: 3816, Parent PID: 4380

General

Target ID:	8
Start time:	10:33:10
Start date:	29/10/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: Taskmgr.exePID: 7012, Parent PID: 4380

General

Target ID:	11
Start time:	10:33:10
Start date:	29/10/2024
Path:	C:\Windows\System32\Taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe" /4
Imagebase:	0x7ff78e410000
File size:	1'213'232 bytes
MD5 hash:	58D5BC7895F7F32EE308E34F06F25DD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hdI44WsQzp

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Taskmgr.exePID: 3816, Parent PID: 4380

General

Analysis Process: Taskmgr.exePID: 7012, Parent PID: 4380

General

Chronological Activities

Disassembly

Windows Analysis Report
hdI44WsQzp