Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
_REPORTE POLICIAL.jpg

Overview

General Information

Sample name:_REPORTE POLICIAL.jpg
Analysis ID:1426829
MD5:67854ae2a9e81c4ae5d7d3a6fa557c76
SHA1:1512214a9942b6f83afc382c4ecfa4a9494b1dfc
SHA256:2471538735d173994c438e204ad907ed1cbf3743b97beecb797b4acec20205e3

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device

Classification

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • mspaint.exe (PID: 3176 cmdline: mspaint.exe "C:\Users\user\Desktop\_REPORTE POLICIAL.jpg" MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.logJump to behavior
Source: classification engineClassification label: clean1.winJPG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sti.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wiatrace.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\_REPORTE POLICIAL.jpg VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
_REPORTE POLICIAL.jpg0%VirustotalBrowse
_REPORTE POLICIAL.jpg0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1426829
Start date and time:2024-04-16 17:15:17 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 21s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:_REPORTE POLICIAL.jpg
Detection:CLEAN
Classification:clean1.winJPG@1/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0

Warnings

  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\debug\WIA\wiatrace.log

Download File
Process:C:\Windows\SysWOW64\mspaint.exe
File Type:ASCII text, with CRLF, LF line terminators
Category:dropped
Size (bytes):1517
Entropy (8bit):5.294087765137221
Encrypted:false
SSDEEP:24:0uxbG0sWF02k9YXCisWF0qXsGUWF0kuqYUWF0w3OYsWF0HXd/bXE34ds/Xd/TzdL:0uxbKWSmX6WSbHWSku4WSw3UWS3RzE3h
MD5:6BED1D7C1BEEF1F6F4B30C090013593E
SHA1:992D36EFE79FC33279362139B171AA275E567EF7
SHA-256:994C9A78FA7476DC6AE3A4D91D3FDD3EF1FE32951A18F7B378D297FDB91BF5B9
SHA-512:432818CBA50CDA40EA1D205C078BF665F007923326BD00F75B0017BB56ACC11D1459A3747D2E788434BDC2D72744491131865FCCC2A28227C4D9E34A72472B8C
Malicious:false
Reputation:low
Preview:..**************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [3176] at 2024/04/16 17:16:02:952 ****************..WIA: 3176.432 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 3176.432 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 02E65290 from server...WIA: 3176.432 16 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 3176.2780 16 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 3176.2780 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenNotificationChannel, Opening the async notification channel.....WIA: 3176.432 16 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 3176.432 16 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 3176.432 16 0 0 [sti.dll] EventRegistrationInfo:

Static File Info

General

File type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2479x3508, components 3
Entropy (8bit):7.805110333041279
TrID:
  • JFIF JPEG Bitmap (4007/3) 50.02%
  • JPEG Bitmap (3003/1) 37.49%
  • MP3 audio (1001/1) 12.50%
File name:_REPORTE POLICIAL.jpg
File size:621'473 bytes
MD5:67854ae2a9e81c4ae5d7d3a6fa557c76
SHA1:1512214a9942b6f83afc382c4ecfa4a9494b1dfc
SHA256:2471538735d173994c438e204ad907ed1cbf3743b97beecb797b4acec20205e3
SHA512:1782223222ee326225e650c63aa71a7a72556a2e262fffef33ad6bc0212ac3efe5ce3f87fbe6d4b2c24239e9e8868a5625e2cb72e8230a52b3cf5037472dfefd
SSDEEP:12288:povG29db/Sv1WnfJfWsi9YTMRMitw5bBmetEnm1tguX:6vGIb/SdWnRPC8bAw
TLSH:C7D44E038D158B87F56883E8FE075EAD1F1A6B1CE5923AFB45624ECB7E101221D9E07D
File Content Preview:......JFIF.....,.,..... ICC_PROFILE...............mntrRGB XYZ ............acspAPPL...................................-....................................................desc.......|cprt...x...(wtpt........bkpt........rXYZ........gXYZ........bXYZ........r

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:17:16:01
Start date:16/04/2024
Path:C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):true
Commandline:mspaint.exe "C:\Users\user\Desktop\_REPORTE POLICIAL.jpg"
Imagebase:0x5b0000
File size:743'424 bytes
MD5 hash:986A191E95952C9E3FE6BE112FB92026
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

No disassembly