Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg

Overview

General Information

Sample Name:	1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg
Analysis ID:	753424
MD5:	1323ef9f42f3b9a3faa0b80406c3ae8e
SHA1:	2b41b9f531e1944cca49f2599095251c2bb33d6b
SHA256:	b854673b66dc36a8b3c719fde697bb45db3b3c3eae19608d267ad5359631105f

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Queries the volume information (name, serial number etc) of a device

Creates files inside the system directory

Classification

×

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Process Tree

System is w10x64

mspaint.exe (PID: 6104 cmdline: mspaint.exe "C:\Users\user\Desktop\1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg" MD5: B59CF145BBAE39672321768B33A01CFA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exe

File created: C:\Windows\Debug\WIA

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean1.winJPG@1/0@0/0

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: 1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg

Static file information: File size 1049884 > 1048576

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Queries volume information: C:\Users\user\Desktop\1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.