Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
image.png

Overview

General Information

Sample name:image.png
Analysis ID:1540395
MD5:f302102b6f1ed9a941004f6434ebdec3
SHA1:f663f0705b438f76d2d3bb8811504c5e0de10c03
SHA256:139af21333f563c8cba64c9a282eb6bacc0c91202c89f0d5cef692db45f93465
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • mspaint.exe (PID: 7212 cmdline: mspaint.exe "C:\Users\user\Desktop\image.png" MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.logJump to behavior
Source: classification engineClassification label: clean1.winPNG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sti.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wiatrace.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: mspaint.exe, 00000000.00000002.2891573715.0000000002E5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}24
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\image.png VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS11
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540395
Start date and time:2024-10-23 18:13:24 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:image.png
Detection:CLEAN
Classification:clean1.winPNG@1/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: image.png
TimeTypeDescription
12:14:34API Interceptor802x Sleep call for process: mspaint.exe modified
No context
No context
No context
No context
No context
Process:C:\Windows\SysWOW64\mspaint.exe
File Type:ASCII text, with CRLF, LF line terminators
Category:dropped
Size (bytes):1526
Entropy (8bit):5.279393088861004
Encrypted:false
SSDEEP:24:0u8bB1uWF02k9YXCM1uWF0qh1u4QWF0kuqaQWF0w3Oa1uWF0HXd/bXE34R1u/Xdc:0u8bB1uWSmXJ1uWSc1u4QWSku3QWSw3w
MD5:1CD19CA5EFA454E1B19EB6C87BDA846C
SHA1:57FC9FE4C8EBB56842C5C0DA7C82C0A3C5FE775F
SHA-256:787131F989661A1933A80ED6CF5DF673FE973A57BA1965E7D064464F52271205
SHA-512:65ACF4856437F17462BCE1737149055BF361673EB256424A46D56961B1021FE3F05900000202325FB649A5510C123799D9DF9D2F22E4B8EB70354A6098B35195
Malicious:false
Reputation:low
Preview:..**************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [7212] at 2024/10/23 12:14:19:251 ****************..WIA: 7212.7216 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 7212.7216 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 02E05BE8 from server...WIA: 7212.7216 16 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 7212.7344 16 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 7212.7344 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenNotificationChannel, Opening the async notification channel.....WIA: 7212.7216 16 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 7212.7216 16 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 7212.7216 16 0 0 [sti.dll] EventRegistratio
File type:PNG image data, 798 x 288, 8-bit/color RGBA, non-interlaced
Entropy (8bit):7.50954210618835
TrID:
  • Portable Network Graphics (16016/1) 100.00%
File name:image.png
File size:11'202 bytes
MD5:f302102b6f1ed9a941004f6434ebdec3
SHA1:f663f0705b438f76d2d3bb8811504c5e0de10c03
SHA256:139af21333f563c8cba64c9a282eb6bacc0c91202c89f0d5cef692db45f93465
SHA512:63c9c906ddf4c962f601dffeeaf6e43b130759445a1a733153c58d2770ed4cf53740e43136f6c8863913439e3e32baaaceb7e3f7b4364d0ce9e101ab737ee76d
SSDEEP:192:ps9HJOC4Ca9BBiDiDiDiXS8ETqEw1slyZDm6BI/mxUiDiDiDiDiDiDiDiDiv/La3:pOHJgr9WOOOi88Vw1sQZDhI/2OOOOOOm
TLSH:7E32F948C315CA33715662AB6869888B11100CBFEF89CC5647DBB36E07DBFB56CB1C99
File Content Preview:.PNG........IHDR....... .....:.......sRGB....... .IDATx^.._.e.}..5P+.h.T............t....& .....A4...O!...4yJ:R.B..QLh..XPZ.....2.,J..............0.\.e....9.........0A3..?...7.{...\:;;;... @....... @ ..%.#..... @.......X.......... @..........: @....... @.
TimestampSource PortDest PortSource IPDest IP
Oct 23, 2024 18:15:03.479518890 CEST5358202162.159.36.2192.168.2.4
Oct 23, 2024 18:15:04.149017096 CEST53636691.1.1.1192.168.2.4

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:12:14:17
Start date:23/10/2024
Path:C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):true
Commandline:mspaint.exe "C:\Users\user\Desktop\image.png"
Imagebase:0x670000
File size:743'424 bytes
MD5 hash:986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

No disassembly