Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
OpenHardwareMonitorLib.sys

Overview

General Information

Sample name:OpenHardwareMonitorLib.sys
Analysis ID:1629927
MD5:0c0195c48b6b8582fa6f6373032118da
SHA1:d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256:11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Detection

Score:0
Range:0 - 100
Confidence:100%

Signatures

Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: OpenHardwareMonitorLib.sysStatic PE information: certificate valid
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: OpenHardwareMonitorLib.sys
Source: OpenHardwareMonitorLib.sysString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: OpenHardwareMonitorLib.sysString found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: OpenHardwareMonitorLib.sysString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: OpenHardwareMonitorLib.sysString found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: OpenHardwareMonitorLib.sysBinary or memory string: OriginalFilenameWinRing0.sys2 vs OpenHardwareMonitorLib.sys
Source: OpenHardwareMonitorLib.sysBinary string: \Device\WinRing0_1_2_0
Source: classification engineClassification label: unknown0.winSYS@0/0@0/0
Source: OpenHardwareMonitorLib.sysStatic PE information: certificate valid
Source: OpenHardwareMonitorLib.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: OpenHardwareMonitorLib.sys

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OpenHardwareMonitorLib.sys5%ReversingLabs
OpenHardwareMonitorLib.sys4%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1629927
Start date and time:2025-03-05 10:05:24 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:OpenHardwareMonitorLib.sys
Detection:UNKNOWN
Classification:unknown0.winSYS@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • Unable to launch sample, stop analysis
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: unsuccessful

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):6.2660301556221185
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:OpenHardwareMonitorLib.sys
File size:14'544 bytes
MD5:0c0195c48b6b8582fa6f6373032118da
SHA1:d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256:11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512:ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
TLSH:096218874B7E1906FB969F7592E9C7936D34F6C0CFA825CF421299982C413E0AF2861C
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."........

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x15008
Entrypoint Section:INIT
Digitally signed:true
Imagebase:0x10000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:0x488B26C1 [Sat Jul 26 13:29:37 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:d41fa95d4642dc981f10de36f4dc8cd7

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 24/09/2007 11:50:55 24/09/2008 11:50:55
Subject Chain
  • E=hiyohiyo@crystalmark.info, CN=Noriyuki MIYAZAKI, C=JP
Version:3
Thumbprint MD5:61EADF0DF84EEDC335550AE8944B77C4
Thumbprint SHA-1:CDA98AC4019456095593902E4B4A87AC283ED54A
Thumbprint SHA-256:2AD31BFCB4B28F2051767A3812DA4913336A95CF614A9AF79DB439A278EA8F50
Serial:01000000000115372421A8
Instruction
dec eax
mov eax, dword ptr [FFFFE0F1h]
dec ecx
mov ecx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax-7Bh], cl
sal byte ptr [ebp+eax+49h], 0000003Bh
sal dword ptr [ebp+2Fh], 4Ch
lea eax, dword ptr [FFFFE0D6h]
dec eax
mov eax, 00000320h
xor bh, FFFFFFFFh
dec dword ptr [eax-75h]
add byte ptr [ecx+33h], cl
ror byte ptr [ecx-48h], FFFFFFFFh
Programming Language:
  • [IMP] VS2005 build 50727
  • [ASM] VS2005 build 50727
  • [ C ] VS2005 build 50727
  • [RES] VS2005 build 50727
  • [LNK] VS2005 build 50727
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x50640x3cINIT
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x3c0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x40000x60.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x1a000x1ed0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x20700x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x70.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x6c60x8001c3d5bb2285dafcf3b7746bf717c1a51False0.55810546875data5.391022592524746IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x20000x17c0x20008362d1269d5a5ef4e7560cab993590dFalse0.4921875data3.2845065466422056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x30000x1140x200043c46095689123e1f5be96c109c2f46False0.072265625data0.30140680731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x40000x600x200077af14197899077aa36d2c72ba1773fFalse0.1640625data0.8576227162916705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT0x50000x2220x400ba375d2de342e7d7a93487a35ea5d36dFalse0.3583984375data3.0572080503988466IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x3c00x4005459c1fdb222b651d36692c4ca5df895False0.421875data3.1267280965534163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60600x35cdataEnglishUnited States0.4604651162790698
DLLImport
ntoskrnl.exeIoDeleteSymbolicLink, RtlInitUnicodeString, IoDeleteDevice, IoCreateDevice, MmMapIoSpace, KeBugCheckEx, IoCreateSymbolicLink, MmUnmapIoSpace, IofCompleteRequest, __C_specific_handler
HAL.dllHalSetBusDataByOffset, HalGetBusDataByOffset
DescriptionData
CommentsThe modified BSD license
CompanyNameOpenLibSys.org
FileDescriptionWinRing0
FileVersion1.2.0.5
InternalNameWinRing0.sys
LegalCopyrightCopyright (C) 2007-2008 OpenLibSys.org. All rights reserved.
OriginalFilenameWinRing0.sys
ProductNameWinRing0
ProductVersion1.2.0.5
Translation0x0411 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly