sign in sign up
<<
Home , Volume (computing)

ID: 319513 Sample Name: AutoRun.inf Cookbook: default.jbs Time: 11:49:41 Date: 18/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report AutoRun.inf 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 6 Contacted Domains 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 8 General 8 File Icon 8 Network Behavior 8 Code Manipulations 9 Statistics 9 System Behavior 9 Analysis Process: notepad.exe PID: 4548 Parent PID: 5620 9 General 9 File Activities 9 Disassembly 9 Code Analysis 9

Copyright null 2020 Page 2 of 9 Analysis Report AutoRun.inf

Overview

General Information Detection Signatures Classification

Sample AutoRun.inf Name: Maayy iiinnfffeeccttt UUSSBB ddrrriiivveess

Analysis ID: 319513 QMuaueyerr riiienesfse ttcthhte eU vvSooBllluu dmreiev eiiinnsfffoorrrmaatttiiioonn (((nnaam… MD5: e61fb75da834380… Queries the volume information (nam

SHA1: d684c54f38f9e98… Ransomware

Miner Spreading SHA256: 31b4e54b2babffb…

mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 notepad.exe (PID: 4548 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\AutoRun.inf MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Spreading Copyright null 2020 Page 3 of 9 • System Summary • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Replication Windows Path Process Process OS Process Replication Data from Exfiltration Data Eavesdrop on Remotely Modify Through Management Interception Injection 1 Injection 1 Credential Discovery 1 Through Local Over Other Obfuscation Insecure Track Device System Removable Instrumentation Dumping Removable System Network Network Without Partition Media 1 Media 1 Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS Peripheral Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Device Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain At () Logon Script Logon Obfuscated Security System SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Script Files or Account Information Admin Shares Network Exfiltration Track Device Device Device (Windows) Information Manager Discovery 1 1 Shared Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 4 of 9 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 319513 Visual Basic Sample: AutoRun.inf Startdate: 18/11/2020 Delphi Architecture: WINDOWS Java Score: 1 . C# or VB.NET

C, C++ or other language

started Is malicious

Internet notepad.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 5 of 9 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Copyright null 2020 Page 6 of 9 Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 319513 Start date: 18.11.2020 Start time: 11:49:41 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 17s Hypervisor based Inspection enabled: false Report type: light Sample file name: AutoRun.inf Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 20 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winINF@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .inf Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Copyright null 2020 Page 7 of 9 Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: Windows Autorun file, ASCII text, with CRLF line terminators Entropy (8bit): 4.502841453316659 TrID: Generic INI configuration (1001/1) 100.00% File name: AutoRun.inf File size: 150 MD5: e61fb75da834380f98c744974510e12b SHA1: d684c54f38f9e9829008e304371a0d9c45b7ffc1 SHA256: 31b4e54b2babffb46e81c1c8aa50ef4a9b5cf997052f1e72 048dc6243433d2d9 SHA512: 0957265277406008c7f6e76942d36ade4d5a45a412ca52 a4a54d302c461effdfdbc16b309402ecf2b179075949023 6a372f258de80fed3c469edb2c3c5305b38 SSDEEP: 3:00u0DqsP58ONDq0TrYMuFDqzmzAJwdVJMKJBL9+ dVJMXTrYMuN:CqqsP5jDq0TMMEq6swZv/oZewMa File Content Preview: [AutoRun]..open=ie.exe..shell\open=Open(&O)..shell\op en\Command=ie.exe..shell\open\Default=1..shell\explor e=Explorer(&X)..shell\explore\Command=ie.exe

File Icon

Icon Hash: 74f0e4e0e2e5e2ec

Network Behavior

No network behavior found

Copyright null 2020 Page 8 of 9 Code Manipulations

Statistics

System Behavior

Analysis Process: notepad.exe PID: 4548 Parent PID: 5620

General

Start time: 11:50:37 Start date: 18/11/2020 Path: C:\Windows\System32\notepad.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\AutoRun.inf Imagebase: 0x7ff60acb0000 File size: 245760 bytes MD5 hash: BB9A06B8F2DD9D24C77F389D7B2B58D2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

Copyright null 2020 Page 9 of 9