Windows Analysis Report
Harbor Freight Department.png

Overview

General Information

Sample name:	Harbor Freight Department.png
Analysis ID:	1522668
MD5:	eeadcea0a9e132e58ee1f1cafaeb4889
SHA1:	66da94f5b8241db5f310d2ad7b8458809487c58e
SHA256:	b130965087b4af0207c893a68aa5beebe1120816a1ab6d195d74f4c26156b9cc
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Harbor Freight Department.png

Virustotal: Detection: 17%

Perma Link

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\mspaint.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: classification engine

Classification label: mal48.winPNG@1/0@0/0

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Harbor Freight Department.png

Virustotal: Detection: 17%

Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: wiatrace.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: uiribbonres.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Section loaded: bcrypt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\mspaint.exe TID: 3484

Thread sleep time: -240000s >= -30000s

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mspaint.exe

Queries volume information: C:\Users\user\Desktop\Harbor Freight Department.png VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1522668
Product:	CloudBasic
Start time:	15:04:32
Start date:	30.09.2024
Sample:	Harbor Freight Department.png
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	eeadcea0a9e132e58ee1f1cafaeb4889
SHA1:	66da94f5b8241db5f310d2ad7b8458809487c58e
SHA256:	b130965087b4af0207c893a68aa5beebe1120816a1ab6d195d74f4c26156b9cc
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Windows Analysis Report
Harbor Freight Department.png

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Harbor Freight Department.png

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Harbor Freight Department.png