Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
krampus.jsc

Overview

General Information

Sample name:krampus.jsc
Analysis ID:1579545
MD5:afcf5542285df8ea719c3ad0a087984f
SHA1:ab67022eaf63f9206d27d6c8becc6fd276ffb613
SHA256:d29e468bee8a4050b5d912de798acc76cbd142098ecd84e8d075092f986e49f1

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • OpenWith.exe (PID: 5944 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean1.winJSC@1/0@0/0
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory11
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
krampus.jsc0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1579545
Start date and time:2024-12-22 23:36:20 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:krampus.jsc
Detection:CLEAN
Classification:clean1.winJSC@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 52.149.20.212, 20.12.23.50
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
TimeTypeDescription
17:37:15API Interceptor1x Sleep call for process: OpenWith.exe modified
No context
No context
No context
No context
No context
No created / dropped files found
File type:data
Entropy (8bit):5.659027870614106
TrID:
    File name:krampus.jsc
    File size:4'304 bytes
    MD5:afcf5542285df8ea719c3ad0a087984f
    SHA1:ab67022eaf63f9206d27d6c8becc6fd276ffb613
    SHA256:d29e468bee8a4050b5d912de798acc76cbd142098ecd84e8d075092f986e49f1
    SHA512:91dda583d2f47765add45c639d3432f6fb93f4a762ea582b75300f6e0c086a208a1949a3a3c06186f719800d9ccec5a846fac2c123cdffb0166e307cd8a0a072
    SSDEEP:96:n3yi/blez59+O4w04Vus+JWjCZsmn7Q6gKS3IX1:llel4jSmm+I3u1
    TLSH:D291D69EBB145B0BE0A1EB7001E3E1208770B7DE7EF9D72329415A2D1C9F2B43E104A8
    File Content Preview:.....d..U.....4.......-...S. ..`..........L`..........S...`....P....xL`.........tRb.....q....................Qb..] ....createCipheriv....Qb........createDecipheriv..QaJ.!S....fs........Qa..{b....path......Qa...5....key.......Qav.g.....iv........Qb........
    Icon Hash:74f0e4e4e4e4e0e4
    No network behavior found

    Click to jump to process

    Click to jump to process

    Target ID:0
    Start time:17:37:15
    Start date:22/12/2024
    Path:C:\Windows\System32\OpenWith.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
    Imagebase:0x7ff61e3b0000
    File size:123'984 bytes
    MD5 hash:E4A834784FA08C17D47A1E72429C5109
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    No disassembly