Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report msinfo32.exe

Overview

General Information

Sample Name:msinfo32.exe
Analysis ID:324369
MD5:e7c7a26b9d8d528178a23521ea221feb
SHA1:207cf726862a43473d813bb2c0350e837ac939fd
SHA256:fdf7fddbad7f3cdbb760c2bd96a32848297d6f474d766a84882241db74a8fe0b
Errors
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
msinfo32.exePowerShell_Mal_HackTool_GenDetects PowerShell hack tool samples - generic PE loaderFlorian Roth
  • 0x11aab:$x2: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: msinfo32.exe, type: SAMPLEMatched rule: Detects PowerShell hack tool samples - generic PE loader Author: Florian Roth
Source: msinfo32.exe, type: SAMPLEMatched rule: PowerShell_Mal_HackTool_Gen date = 2017-11-02, hash1 = d442304ca839d75b34e30e49a8b9437b5ab60b74d85ba9005642632ce7038b32, author = Florian Roth, description = Detects PowerShell hack tool samples - generic PE loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: msinfo32.exeString found in binary or memory: $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
Source: msinfo32.exeString found in binary or memory: Test-MemoryRangeValid -DebugString "Copy-Sections::MarshalCopy" -PEInfo $PEInfo -StartAddress $SectionDestAddr -Size $SizeOfRawData | Out-Null
Source: msinfo32.exeString found in binary or memory: Test-MemoryRangeValid -DebugString "Copy-Sections::Memset" -PEInfo $PEInfo -StartAddress $StartAddress -Size $Difference | Out-Null
Source: msinfo32.exeString found in binary or memory: # .EXTERNALHELP MSFT_MpWDOScan.cdxml-Help.xml
Source: msinfo32.exeString found in binary or memory: # .EXTERNALHELP MSFT_MpThreat.cdxml-Help.xml
Source: msinfo32.exeString found in binary or memory: # .EXTERNALHELP MSFT_MpThreatCatalog.cdxml-Help.xml
Source: msinfo32.exeString found in binary or memory: Test-MemoryRangeValid -DebugString "Update-MemoryProtectionFlags::VirtualProtect" -PEInfo $PEInfo -StartAddress $SectionPtr -Size $SectionSize | Out-Null
Source: msinfo32.exeString found in binary or memory: $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $RSCAddr -Win32Functions $Win32Functions
Source: msinfo32.exeString found in binary or memory: $RThreadHandle = Create-RemoteThread -ProcessHandle $RemoteProcHandle -StartAddress $VoidFuncAddr -Win32Functions $Win32Functions

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
msinfo32.exe7%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:324369
Start date:29.11.2020
Start time:18:18:43
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:msinfo32.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: The image file %1 is valid, but is for a machine type other than the current machine.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:data
Entropy (8bit):4.087665540238668
TrID:
  • MacBinary 2 header (1003/3) 50.00%
  • Adobe PhotoShop Brush (1003/3) 50.00%
File name:msinfo32.exe
File size:337408
MD5:e7c7a26b9d8d528178a23521ea221feb
SHA1:207cf726862a43473d813bb2c0350e837ac939fd
SHA256:fdf7fddbad7f3cdbb760c2bd96a32848297d6f474d766a84882241db74a8fe0b
SHA512:f5e58d63d342af5671865605a7dde71a1b2a8419e0a113527851bcb2f914c4b3e545471ad386f61cfb114eceaf4afab6b07f1b37e903906dbf0685f149b2c9e4
SSDEEP:3072:TbhLBCldvZbMllyAONMjUi7DzqQjdI3aipMxM+E:Tudv1Wy9MHonMS
File Content Preview:.E.S.E.R.V.E.,. .$.W.i.n.3.2.C.o.n.s.t.a.n.t.s...P.A.G.E._.R.E.A.D.W.R.I.T.E.).........i.f. .(.$.G.e.t.P.r.o.c.A.d.d.r.e.s.s.R.e.t.M.e.m. .-.e.q. .[.I.n.t.P.t.r.].:.:.Z.e.r.o.).........{...........T.h.r.o.w. .".U.n.a.b.l.e. .t.o. .a.l.l.o.c.a.t.e. .m.e.m.

File Icon

Icon Hash:00828e8e8686b000

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >