Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BILL # 965415965285.jpg

Overview

General Information

Sample Name:BILL # 965415965285.jpg
Analysis ID:715099
MD5:4eb6cc54e959e6d6b4f8d5f4723a3e7b
SHA1:49b2179a34025829ea932f56bba5a14c8e9c70f0
SHA256:0e24066d7f4fd81120add0e0833fe89b6adfe66d65187cb69c863f90b092a99b

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory

Classification

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
  • System is w10x64
  • mspaint.exe (PID: 5632 cmdline: mspaint.exe "C:\Users\user\Desktop\BILL # 965415965285.jpg" MD5: B59CF145BBAE39672321768B33A01CFA)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winJPG@1/0@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: BILL # 965415965285.jpgStatic file information: File size 1497856 > 1048576
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\BILL # 965415965285.jpg VolumeInformationJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.