Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
image001.png

Overview

General Information

Sample name:image001.png
Analysis ID:1417119
MD5:4962f1d18c649283bfd53bd2b9eac568
SHA1:ed00430ab49c10396c920c7a1d40913451526f9a
SHA256:bfd05e5f58160dd3c0ed6d9aedd94066de23ff9f9402ae35e688ab6e270b2cee

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • mspaint.exe (PID: 6768 cmdline: mspaint.exe "C:\Users\user\Desktop\image001.png" MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.logJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sti.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wiatrace.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: classification engineClassification label: clean1.winPNG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\image001.png VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417119
Start date and time:2024-03-28 16:17:38 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:image001.png
Detection:CLEAN
Classification:clean1.winPNG@1/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
16:18:53API Interceptor499x Sleep call for process: mspaint.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\debug\WIA\wiatrace.log

Download File
Process:C:\Windows\SysWOW64\mspaint.exe
File Type:ASCII text, with CRLF, LF line terminators
Category:dropped
Size (bytes):1515
Entropy (8bit):5.277035225743721
Encrypted:false
SSDEEP:24:0uZtXDF02k9YXCCXDF0qGXTF0kuqSF0w3OEXDF0HXd/bXE349XMXd/Tz9X+gNYxG:0uZ9DSmXVDSNTSku7Sw3jDS3RzE34NWv
MD5:AFD7DA9F799AA313C501B222DEFCD22F
SHA1:AAAF1FDF4C749105EE1AE68E703D1D8206A7C0CD
SHA-256:4A0824AFF26ED01F3A9AB272C8CE1BDD216D366E397E296DB1003B65B656781F
SHA-512:3F2CC89AFF674B7DA2DE0B7473EB7FCFFC4B77E4362468E0210D66988C16021ADD42A0335C9CA86D649141FBE4FFCFEBA44C79DFE33EB2F12BF706C9A60258A4
Malicious:false
Reputation:low
Preview:..**************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [6768] at 2024/03/28 16:18:32:642 ****************..WIA: 6768.6976 0 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 6768.6976 0 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 033B4BD0 from server...WIA: 6768.6976 0 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 6768.3816 0 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 6768.3816 0 0 0 [sti.dll] AsyncRPCEventTransport::OpenNotificationChannel, Opening the async notification channel.....WIA: 6768.6976 0 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 6768.6976 0 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 6768.6976 0 0 0 [sti.dll] EventRegistrationInfo::D

Static File Info

General

File type:PNG image data, 231 x 77, 8-bit/color RGBA, non-interlaced
Entropy (8bit):7.937821249566292
TrID:
  • Portable Network Graphics (16016/1) 100.00%
File name:image001.png
File size:3'644 bytes
MD5:4962f1d18c649283bfd53bd2b9eac568
SHA1:ed00430ab49c10396c920c7a1d40913451526f9a
SHA256:bfd05e5f58160dd3c0ed6d9aedd94066de23ff9f9402ae35e688ab6e270b2cee
SHA512:77c3e42f323f6ce4b81a0426331186fe2266188142bd298dba362bfcbf92ee5d073b2d235d7f3096025045b0b20e636539afd969f263d1daafd95cbf483c6989
SSDEEP:96:Od1RbgxQ5T9/EypY/rfSwcTUMCJei8H8OB+Sn:W1N5T9/EyoztcaelcOBp
TLSH:A7716EBB0B946FF534A46F43888E8D2017F358F5693A318B6CF4761879795AC5100563
File Content Preview:.PNG........IHDR.......M.....]ss.....pHYs...........~.....IDATx..._hdW..OK...IQ..Y....,.......[.(L..sH..O.M.D..N..>..._............N.?..M .Z..(>..f.D.!.]....9....;.................|.........m2....P}.rW.w.....>..W.).B..[g..~...........[.0..c...c.....Wv#^.)

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:16:18:31
Start date:28/03/2024
Path:C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):true
Commandline:mspaint.exe "C:\Users\user\Desktop\image001.png"
Imagebase:0x200000
File size:743'424 bytes
MD5 hash:986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly