Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg

Overview

General Information

Sample Name:1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg
Analysis ID:753424
MD5:1323ef9f42f3b9a3faa0b80406c3ae8e
SHA1:2b41b9f531e1944cca49f2599095251c2bb33d6b
SHA256:b854673b66dc36a8b3c719fde697bb45db3b3c3eae19608d267ad5359631105f

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Queries the volume information (name, serial number etc) of a device
Creates files inside the system directory

Classification

Analysis Advice

Sample is a picture (JPEG, PNG, GIF etc), nothing to analyze
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
  • System is w10x64
  • mspaint.exe (PID: 6104 cmdline: mspaint.exe "C:\Users\user\Desktop\1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg" MD5: B59CF145BBAE39672321768B33A01CFA)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Windows\Debug\WIAJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mspaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32
Source: C:\Windows\SysWOW64\mspaint.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: clean1.winJPG@1/0@0/0
Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: 1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpgStatic file information: File size 1049884 > 1048576
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mspaint.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\mspaint.exeQueries volume information: C:\Users\user\Desktop\1_[NOM DE BASE]-[PAGE ACTUELLE]REF-9263GN_DOC01-1 CA.jpg VolumeInformation
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.