Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20250606_102141.jpg

Overview

General Information

Sample name:20250606_102141.jpg
Analysis ID:1711314
Has dependencies:false
MD5:2f76138c0dffc0653630006f9e806fb6
SHA1:c6455d7e5070678ba2b73bc5cf20de6131438dc0
SHA256:bb1b3038620a6f9e6fbd36596b03cbfdd1aaf8adb36b2f18b0b27a2c1869fb6f

Detection

Score:1
Range:0 - 100
Confidence:40%

Signatures

Creates files inside the system directory
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • mspaint.exe (PID: 6300 cmdline: mspaint.exe "C:\Users\user\Desktop\20250606_102141.jpg" MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

AI Reasoning

No reasoning have been found

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIA\wiatrace.logJump to behavior
Source: classification engineClassification label: clean1.winJPG@1/1@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sti.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wiatrace.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 20250606_102141.jpgStatic file information: File size 2516383 > 1048576
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: mspaint.exe, 00000000.00000002.2116209964.0000000002E1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mspaint.exe, 00000000.00000002.2116209964.0000000002E1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\20250606_102141.jpg VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.