Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aq8KdAdkQV.jpg

Overview

General Information

Sample name:aq8KdAdkQV.jpg
(renamed file extension from none to jpg, renamed because original name is a hash value)
Original sample name:24c5c3f13742c6393e1a37dba9e6d2e9ac465746
Analysis ID:1541187
MD5:cc1b4fd106aa2dc7de74845755f6fdc5
SHA1:24c5c3f13742c6393e1a37dba9e6d2e9ac465746
SHA256:c47e9403674a0193477804ce140364f9916abeb10eee27e5309771362e56c532

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • mspaint.exe (PID: 5048 cmdline: mspaint.exe "C:\Users\user\Desktop\aq8KdAdkQV.jpg" MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.logJump to behavior
Source: classification engineClassification label: clean1.winJPG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sti.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wiatrace.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\aq8KdAdkQV.jpg VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541187
Start date and time:2024-10-24 15:03:27 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:aq8KdAdkQV.jpg
(renamed file extension from none to jpg, renamed because original name is a hash value)
Original Sample Name:24c5c3f13742c6393e1a37dba9e6d2e9ac465746
Detection:CLEAN
Classification:clean1.winJPG@1/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0

Warnings

  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: aq8KdAdkQV.jpg

Simulations

Behavior and APIs

TimeTypeDescription
09:05:28API Interceptor8x Sleep call for process: mspaint.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\debug\WIA\wiatrace.log

Download File
Process:C:\Windows\SysWOW64\mspaint.exe
File Type:ASCII text, with CRLF, LF line terminators
Category:dropped
Size (bytes):1515
Entropy (8bit):5.231915497003024
Encrypted:false
SSDEEP:24:0uVyF02k9YXCXF0qDF0HXd/bXE34vXd/Tz1gNYxee7KF0kuquF0w3O5F0HXd/bXI:0uVySmXuSsS3RzE34PRTzQ0eSkuLSw3G
MD5:8AE65AF37FEF7D1C985145F1250DEC87
SHA1:1DC5C697FA0EEF5A183F288D935D3AC842755422
SHA-256:881CF37E8E6FA6D2EE1CEB4C1E5D9C52D504E44608BA97EB18348097C6B5046F
SHA-512:F1DB317A1C498687E57646F0943B05E4F039E3F1C655C11F4FE3ABEA070D77CF1C2322FFBA39AAAF98018ED3C0306991CDCC32E276FDC8B1A135AF11E563E7F4
Malicious:false
Reputation:low
Preview:..**************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [5048] at 2024/10/24 09:04:30:238 ****************..WIA: 5048.5020 0 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 5048.5020 0 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 02B04670 from server...WIA: 5048.5020 0 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 5048.5020 0 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 5048.5020 0 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 5048.5020 0 0 0 [sti.dll] EventRegistrationInfo::Dump, dwFlags: 0x00000000, guidEvent: {A28BBADE-64B6-11D2-A231-00C04FA31809}, bstrDeviceID: *, callback: 0x047C8210..WIA: 5048.3504 0 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 50

Static File Info

General

File type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 120x120, segment length 16, baseline, precision 8, 775x317, components 3
Entropy (8bit):7.893290865974184
TrID:
  • JFIF JPEG Bitmap (4007/3) 50.02%
  • JPEG Bitmap (3003/1) 37.49%
  • MP3 audio (1001/1) 12.50%
File name:aq8KdAdkQV.jpg
File size:32'425 bytes
MD5:cc1b4fd106aa2dc7de74845755f6fdc5
SHA1:24c5c3f13742c6393e1a37dba9e6d2e9ac465746
SHA256:c47e9403674a0193477804ce140364f9916abeb10eee27e5309771362e56c532
SHA512:cfb0b808d42656a3b8d4ac97323833f25c544f0d78e8a5ce83939497f771c889e8a3b4e85d07f1fb1484934cdccead24c5449f0644fb34a45b322aa7affd962b
SSDEEP:768:17jKWZ998888888888GMopv248ajTTw8lzR4vTHYlgnvbvZek1og:17jTKMQv248a3TwAzQYlwv7w8og
TLSH:5AE29E038E048693B55C55E9FD132EAE7F0D061CC6273FFF10A58FAA76262259C461BB
File Content Preview:......JFIF.....x.x.....C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......=...."............................................................}........!1A..Qa."q.2....

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:09:04:28
Start date:24/10/2024
Path:C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):true
Commandline:mspaint.exe "C:\Users\user\Desktop\aq8KdAdkQV.jpg"
Imagebase:0x460000
File size:743'424 bytes
MD5 hash:986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly