mspaint[.]exe | Triage

Resubmissions

31-03-2023 22:40

230331-2lrggsfd6v 4

31-03-2023 22:37

230331-2jsxjaea49 4

Sharing

Copy URL

Twitter E-mail

General

Target

mspaint.exe
Size

965KB
MD5

f221a4ccafec690101c59f726c95b646
SHA1

2098e4b62eaab213cbee73ba40fe4f1b8901a782
SHA256

94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
SHA512

8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf
SSDEEP

12288:+iwNLXXh3V1mkVYCsOfxBmMQsriL+iOLr5EFUSWJs0kApWWFO3T+pVol0A64lG6i:bwNzn7Z9QCiyiOZE6eGp0+pml/lN9

Score

1^/10

Malware Config

Signatures

Files

mspaint.exe
.exe windows x64

d90e4d192f94e7240c400da8fc2154d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCreateKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
EncryptFileW
DecryptFileW
EventWriteTransfer
DuplicateEncryptionInfoFile
EventUnregister
EventRegister
RegOpenKeyExW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
RegDeleteKeyW

kernel32

GetACP
CopyFileW
MoveFileExW
DeleteFileW
GetModuleHandleA
CreateEventW
SetEvent
QueueUserWorkItem
FreeLibrary
LoadLibraryW
HeapSetInformation
VerifyVersionInfoW
VerSetConditionMask
DeleteCriticalSection
GetThreadLocale
QueryFullProcessImageNameW
OpenProcess
GetTempPathW
lstrcmpiW
SetEndOfFile
FindFirstFileW
GetFullPathNameW
GetTickCount
GlobalDeleteAtom
GlobalAddAtomW
SetErrorMode
LocalFree
LocalAlloc
RaiseException
GlobalSize
GetExitCodeThread
GetTimeFormatW
GetDateFormatW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFileSize
lstrlenW
GetLocaleInfoW
MulDiv
DeviceIoControl
SetFileTime
SetFileAttributesW
GetFileTime
GetFileAttributesW
FindClose
WriteFile
ReadFile
FindNextStreamW
FindFirstStreamW
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalFree
GetFileSizeEx
CreateFileW
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
GetProcAddress
HeapAlloc
CloseHandle
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
WaitForSingleObjectEx
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
lstrcmpW
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
VirtualProtect
LoadLibraryExA
GetSystemInfo
VirtualQuery
OpenSemaphoreW

gdi32

EnumFontFamiliesExW
GetTextFaceW
GdiGradientFill
GetTextMetricsW
Polyline
SetROP2
CreatePolygonRgn
TranslateCharsetInfo
GetTextExtentPoint32W
CreateFontW
StretchDIBits
CreateDCW
CreateFontIndirectW
SetStretchBltMode
GetBrushOrgEx
GetRgnBox
CombineRgn
CreateRectRgn
ExtSelectClipRgn
ExtFloodFill
GetPixel
UnrealizeObject
SetBrushOrgEx
StretchBlt
Polygon
OffsetRgn
SetPixel
LineTo
MoveToEx
CreatePen
SetDIBitsToDevice
GetNearestColor
CreateDIBitmap
GetDIBits
CreateHalftonePalette
CreateDIBSection
Rectangle
SetViewportExtEx
RestoreDC
LPtoDP
SetMapMode
SaveDC
CreatePalette
PlayMetaFile
GdiAlphaBlend
SetTextColor
SetBkColor
GetObjectW
GetCurrentObject
SetDIBColorTable
GetDIBColorTable
CreateRectRgnIndirect
GetStockObject
FillRgn
PatBlt
CreateSolidBrush
CreatePatternBrush
SetPaletteEntries
ResizePalette
GetNearestPaletteIndex
GetPaletteEntries
SetDIBits
CreateBitmap
DeleteObject
GetDeviceCaps
SelectObject
SelectPalette
RealizePalette
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
DeleteDC

user32

ReleaseDC
NotifyWinEvent
PostMessageW
IsClipboardFormatAvailable
RegisterClipboardFormatW
OffsetRect
FillRect
GetCursorPos
ScreenToClient
UnionRect
IntersectRect
WindowFromPoint
PtInRect
GetCapture
SetRectEmpty
SetTimer
KillTimer
IsRectEmpty
EqualRect
SetCursor
SetCapture
GetAsyncKeyState
SetPropW
CopyRect
InflateRect
GetParent
GetWindowLongW
GetDlgItemInt
GetKeyboardLayout
LoadImageW
BringWindowToTop
GetFocus
MsgWaitForMultipleObjectsEx
GetTouchInputInfo
ShowCursor
CloseTouchInputHandle
GetMessageExtraInfo
ReleaseCapture
ClientToScreen
TrackMouseEvent
GetSystemMenu
RemoveMenu
DestroyWindow
DestroyCursor
SystemParametersInfoW
GetWindowLongPtrW
LoadBitmapW
PeekMessageW
SetWindowTextW
GetKeyState
MessageBoxW
MessageBeep
GetDC
GetWindowDC
EnableScrollBar
GetUpdateRect
IsWindow
InvalidateRect
GetSystemMetrics
GetWindowRect
ValidateRect
SetCursorPos
GetWindowThreadProcessId
DestroyMenu
SetRect
GetClientRect
GetSysColor
DestroyIcon
MonitorFromRect
GetMonitorInfoW
SendMessageW
RegisterWindowMessageW
UpdateWindow
GetClassInfoW
LoadIconW
IsWindowVisible
CheckMenuItem
SetGestureConfig
PostQuitMessage
RegisterTouchWindow
UnregisterTouchWindow
EnableWindow
GetDlgItem
CheckDlgButton
SetDlgItemInt
SendDlgItemMessageW
GetMenu
IsMenu
RedrawWindow
SetWindowLongW
LoadMenuW
SetActiveWindow
SetWindowLongPtrW
GetSubMenu
GetCaretPos
SetClassLongPtrW
LoadStringW
SendInput
LoadCursorW

mfc42u

ord4609
ord1387
ord2138
ord2129
ord2132
ord1029
ord3889
ord1035
ord3894
ord1055
ord650
ord1931
ord613
ord2133
ord6379
ord3639
ord1036
ord1726
ord4589
ord5700
ord4860
ord6216
ord4741
ord3743
ord822
ord408
ord904
ord2105
ord2087
ord311
ord827
ord4295
ord4294
ord312
ord1859
ord1945
ord4554
ord321
ord837
ord1719
ord3748
ord3753
ord4705
ord6050
ord1584
ord5670
ord6162
ord3744
ord4238
ord1353
ord4234
ord2793
ord6540
ord823
ord307
ord4952
ord4436
ord6691
ord1650
ord2449
ord3820
ord2595
ord4544
ord2258
ord6817
ord4612
ord6818
ord6542
ord1562
ord6222
ord938
ord443
ord6887
ord6886
ord620
ord1040
ord626
ord525
ord984
ord3638
ord6455
ord6457
ord286
ord1574
ord4473
ord2629
ord624
ord6102
ord4623
ord5467
ord6632
ord4770
ord4988
ord4371
ord3164
ord4077
ord4083
ord4082
ord3046
ord3166
ord3052
ord3366
ord3231
ord4815
ord3362
ord3243
ord3049
ord5699
ord2140
ord2455
ord5680
ord1736
ord5484
ord3933
ord6814
ord2060
ord2670
ord4789
ord5229
ord4017
ord5701
ord4694
ord6806
ord5586
ord2399
ord5656
ord4749
ord1778
ord4365
ord6440
ord1723
ord1716
ord5506
ord2404
ord4422
ord5838
ord4345
ord4706
ord2535
ord6556
ord2596
ord2408
ord2427
ord3830
ord3790
ord3740
ord1869
ord445
ord940
ord2779
ord1379
ord6880
ord1483
ord5933
ord1463
ord371
ord877
ord1126
ord5986
ord3222
ord3780
ord367
ord5602
ord6762
ord336
ord851
ord1646
ord1647
ord6127
ord2461
ord6135
ord2420
ord1677
ord2676
ord1471
ord4548
ord1566
ord6021
ord1122
ord4602
ord2846
ord1428
ord1838
ord2925
ord1561
ord1425
ord314
ord2516
ord852
ord3742
ord5949
ord337
ord2379
ord2319
ord2381
ord2315
ord2384
ord2311
ord2781
ord2975
ord2979
ord5887
ord4557
ord3177
ord6614
ord5077
ord1787
ord5245
ord3003
ord6767
ord2318
ord2376
ord4344
ord3180
ord1781
ord3761
ord4771
ord2457
ord5683
ord5702
ord6812
ord5663
ord4752
ord1777
ord6437
ord2517
ord5406
ord4721
ord5687
ord6018
ord5730
ord2857
ord5712
ord3535
ord3867
ord1067
ord665
ord996
ord3408
ord2122
ord2898
ord3879
ord2900
ord6559
ord6238
ord2463
ord4127
ord3861
ord2084
ord4375
ord310
ord826
ord4650
ord660
ord1064
ord2906
ord6130
ord6131
ord303
ord6123
ord6609
ord4297
ord6138
ord6511
ord1950
ord4599
ord1537
ord2393
ord6577
ord4187
ord4014
ord6520
ord3936
ord6351
ord3099
ord3647
ord1441
ord2394
ord3440
ord5807
ord1977
ord4565
ord387
ord890
ord2100
ord2903
ord4806
ord4784
ord5468
ord5175
ord4774
ord5674
ord1674
ord2671
ord5704
ord5659
ord4364
ord4461
ord2919
ord2920
ord3536
ord5839
ord1316
ord5420
ord3481
ord4633
ord4817
ord5524
ord5521
ord3141
ord2405
ord2750
ord3920
ord4580
ord540
ord992
ord5232
ord1903
ord4690
ord6474
ord994
ord2802
ord4780
ord5682
ord1734
ord3932
ord5662
ord4405
ord5366
ord5369
ord4879
ord4884
ord4881
ord4899
ord4901
ord4886
ord5282
ord5090
ord4682
ord5496
ord4891
ord5288
ord4712
ord5297
ord4945
ord4946
ord1730
ord5649
ord4867
ord528
ord3862
ord1893
ord4578
ord4979
ord5519
ord4288
ord504
ord977
ord5215
ord5252
ord5362
ord5894
ord5989
ord1753
ord1442
ord6777
ord6078
ord1498
ord2513
ord2801
ord1284
ord5905
ord6465
ord5021
ord1559
ord287
ord2756
ord2754
ord2757
ord506
ord979
ord2272
ord292
ord815
ord1972
ord1992
ord6828
ord1301
ord2015
ord1296
ord5622
ord2417
ord3282
ord3601
ord5431
ord6612
ord4844
ord4982
ord4977
ord4981
ord4777
ord4984
ord3365
ord6586
ord4732
ord4769
ord5666
ord6769
ord3147
ord3142
ord5064
ord3353
ord3994
ord3595
ord1361
ord5956
ord3672
ord5436
ord3556
ord3059
ord4989
ord5871
ord4762
ord5408
ord4964
ord3191
ord5432
ord4841
ord5410
ord5317
ord5001
ord4870
ord2195
ord2448
ord5354
ord3270
ord5216
ord5253
ord5363
ord5047
ord5052
ord4797
ord1536
ord5037
ord4849
ord4124
ord5441
ord5402
ord5269
ord5309
ord4862
ord5582
ord6610
ord4759
ord5093
ord524
ord3675
ord2530
ord6136
ord5068
ord5306
ord4947
ord4703
ord4598
ord4976
ord659
ord1063
ord507
ord3783
ord971
ord1447
ord6510
ord1505
ord598
ord6538
ord1337
ord2036
ord6056
ord6055
ord5870
ord1287
ord2565
ord2752
ord6813
ord4368
ord5065
ord3468
ord1499
ord4970
ord3280
ord3593
ord1264
ord1286
ord4521
ord1388
ord6888
ord2939
ord3916
ord4983
ord6053

msvcrt

cosf
memcmp
atan2f
atan2
__RTDynamicCast
memcpy
memmove
memset
sinf
sqrtf
tanf
___lc_handle_func
__CxxFrameHandler3
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
isdigit
isalnum
abort
memchr
tolower
isspace
__uncaught_exception
__crtGetStringTypeW
__crtLCMapStringW
__mb_cur_max
__pctype_func
___lc_codepage_func
wcscmp
_errno
___mb_cur_max_func
setlocale
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
malloc
vswprintf_s
exit
wcsncmp
_wsetlocale
_wcsdup
__wargv
__argc
_wcsicmp
__C_specific_handler
rand
_beginthreadex
_wtoi
_wsplitpath_s
strcspn
localeconv
sprintf_s
_strtoi64
_strtoui64
_purecall
free
memmove_s
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
swprintf_s
wcscpy_s
wcstoul
vsprintf_s
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
memcpy_s
_vsnwprintf

shlwapi

PathStripPathW
PathFileExistsW
PathFindFileNameW
PathCombineW
ord628

oleaut32

VarR8FromDec
VarDecFromR8
SafeArrayCreateVector
SafeArrayPutElement
SafeArrayDestroy
SafeArrayCopy
VariantInit
SysAllocString
VariantClear
VarDecFromI4
SysFreeString

api-ms-win-core-com-l1-1-0

FreePropVariantArray
PropVariantClear
CoTaskMemAlloc
CoCreateInstance
PropVariantCopy
CoMarshalInterThreadInterfaceInStream
CoReleaseMarshalData
CoGetInterfaceAndReleaseStream
CoWaitForMultipleHandles
CoCreateFreeThreadedMarshaler
CoTaskMemFree
CreateStreamOnHGlobal
CLSIDFromString
CoInitializeEx
CoUninitialize
CoCreateGuid

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
MultiByteToWideChar

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
CreateMutexW
ReleaseSRWLockExclusive
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
CreateEventExW

api-ms-win-core-synch-l1-2-0

Sleep
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentProcess
TerminateProcess
CreateThread

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetSystemTimeAsFileTime

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx

api-ms-win-core-file-l1-1-0

CompareFileTime
GetTempFileNameW

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-eventing-provider-l1-1-0

EventSetInformation

comctl32

ord381
ord345
ImageList_GetImageCount
ImageList_Remove
ImageList_ReplaceIcon
ImageList_Draw

comdlg32

GetFileTitleW
GetOpenFileNameW

ntdll

WinSqmAddToStream
WinSqmStartSession
WinSqmEndSession
WinSqmIncrementDWORD
WinSqmSetIfMaxDWORD

ole32

ReleaseStgMedium
OleGetClipboard
WriteClassStg
WriteFmtUserTypeStg
CoInitialize

propsys

PropVariantToUInt32
PropVariantToString
PropVariantToStringVectorAlloc
PSGetPropertyDescriptionListFromString
PropVariantToUInt32WithDefault

shell32

SHGetKnownFolderPath
SHCreateItemFromParsingName
ShellAboutW
SHAddToRecentDocs
SHBindToParent
SHCreateShellItem
ord155
ord75
ord165
SHGetSpecialFolderPathW
DragFinish
DragQueryFileW
SHChangeNotify
SHCreateShellItemArrayFromShellItem
SHParseDisplayName

winmm

timeGetTime

Sections

.text
Size: 660KB - Virtual size: 660KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 241KB - Virtual size: 240KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

d90e4d192f94e7240c400da8fc2154d7

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

shlwapi

oleaut32

api-ms-win-core-com-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

rpcrt4

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-localization-l2-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-eventing-provider-l1-1-0

comctl32

comdlg32

ntdll

ole32

propsys

shell32

winmm

Sections

.text Size: 660KB - Virtual size: 660KB

.rdata Size: 241KB - Virtual size: 240KB

.data Size: 20KB - Virtual size: 33KB

.pdata Size: 26KB - Virtual size: 26KB

.didat Size: 1024B - Virtual size: 864B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 660KB - Virtual size: 660KB

.rdata
Size: 241KB - Virtual size: 240KB

.data
Size: 20KB - Virtual size: 33KB

.pdata
Size: 26KB - Virtual size: 26KB

.didat
Size: 1024B - Virtual size: 864B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 11KB - Virtual size: 10KB