mspaint[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

mspaint.exe
Size

916KB
MD5

b77bbef18ab33c9bf411c461463b1da8
SHA1

ef6f75fe72639f904d2105e3987d4ef4f58911da
SHA256

cad40cfbb57d831206f1f49ad5258ee815052f4694f801d5985b1d86b3ae24ed
SHA512

d7078a838f1190815a0e4aca709cf2743341570c2f1be7424c4b14c2ea46c4cbd9085a3780a342018ec373c1afdeb11e35325371c4816c5cb5b94ae147b3fda6
SSDEEP

24576:j9lfYPTcMl/+EMIT+AKDdebdMaI0PlLOEfyb:hRSNAITqDkhDlLTyb

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
mspaint.exe

Files

mspaint.exe
.exe windows:10 windows x64 arch:x64

ad9649a74db256ecab874bd416c46a98

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

mspaint.pdb

Imports

advapi32

RegCreateKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
EncryptFileW
DecryptFileW
EventWriteTransfer
DuplicateEncryptionInfoFile
EventUnregister
EventRegister
RegOpenKeyExW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
OpenThreadToken
OpenProcessToken
GetSecurityInfo
GetAclInformation
GetAce
GetSidSubAuthorityCount
GetSidSubAuthority
LookupPrivilegeValueW
AdjustTokenPrivileges
InitiateSystemShutdownExW
RegDeleteKeyW

kernel32

GetModuleFileNameW
CompareStringOrdinal
GetCurrentProcess
GetCurrentThread
GetACP
CopyFileW
MoveFileExW
DeleteFileW
GetModuleHandleA
CreateEventW
SetEvent
QueueUserWorkItem
FreeLibrary
LoadLibraryW
HeapSetInformation
GetCommandLineW
VerifyVersionInfoW
VerSetConditionMask
DeleteCriticalSection
GetThreadLocale
QueryFullProcessImageNameW
OpenProcess
GetTempPathW
lstrcmpiW
SetEndOfFile
FindFirstFileW
GetFullPathNameW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetTickCount
GlobalDeleteAtom
GlobalAddAtomW
SetErrorMode
LocalFree
LocalAlloc
RaiseException
GlobalSize
GetExitCodeThread
GetTimeFormatW
GetDateFormatW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFileSize
lstrlenW
GetLocaleInfoW
MulDiv
DeviceIoControl
SetFileTime
SetFileAttributesW
GetFileTime
GetFileAttributesW
FindClose
WriteFile
ReadFile
FindNextStreamW
FindFirstStreamW
GlobalReAlloc
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalFree
GetFileSizeEx
CreateFileW
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
GetCurrentProcessId
ReleaseSemaphore
GetModuleHandleExW
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
GetProcAddress
CreateMutexExW
lstrcmpW
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
VirtualProtect
LoadLibraryExA
GetSystemInfo
VirtualQuery
GetProcessHeap

gdi32

EnumFontFamiliesExW
GetTextFaceW
GdiGradientFill
GetTextMetricsW
Polyline
SetROP2
CreatePolygonRgn
TranslateCharsetInfo
GetTextExtentPoint32W
CreateFontW
StretchDIBits
CreateDCW
CreateFontIndirectW
SetStretchBltMode
GetBrushOrgEx
GetRgnBox
CombineRgn
CreateRectRgn
ExtSelectClipRgn
ExtFloodFill
GetPixel
UnrealizeObject
SetBrushOrgEx
StretchBlt
Polygon
OffsetRgn
SetPixel
LineTo
MoveToEx
CreatePen
SetDIBitsToDevice
GetNearestColor
CreateDIBitmap
GetDIBits
CreateHalftonePalette
CreateDIBSection
PlayMetaFile
SetViewportExtEx
RestoreDC
LPtoDP
GetStockObject
SaveDC
CreatePalette
Rectangle
GdiAlphaBlend
SetTextColor
SetBkColor
GetObjectW
GetCurrentObject
SetDIBColorTable
GetDIBColorTable
CreateRectRgnIndirect
SetMapMode
FillRgn
PatBlt
CreateSolidBrush
CreatePatternBrush
SetPaletteEntries
ResizePalette
GetNearestPaletteIndex
GetPaletteEntries
SetDIBits
CreateBitmap
DeleteObject
DeleteDC
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
RealizePalette
SelectPalette
SelectObject
GetDeviceCaps

user32

ScreenToClient
UnionRect
IntersectRect
WindowFromPoint
PtInRect
GetCapture
SetRectEmpty
SetTimer
KillTimer
IsRectEmpty
EqualRect
SetCursor
SetCapture
GetAsyncKeyState
SetPropW
CopyRect
InflateRect
GetParent
GetWindowLongW
LoadCursorW
GetKeyboardLayout
LoadImageW
BringWindowToTop
GetFocus
SetActiveWindow
GetTouchInputInfo
GetDlgItemInt
ReleaseDC
GetMessageExtraInfo
FillRect
ClientToScreen
TrackMouseEvent
GetSystemMenu
RemoveMenu
DestroyWindow
DestroyCursor
SystemParametersInfoW
GetWindowLongPtrW
GetWindowThreadProcessId
DestroyMenu
MonitorFromRect
GetMonitorInfoW
GetClassInfoW
LoadIconW
LoadBitmapW
GetDC
SetDlgItemInt
SendDlgItemMessageW
SetWindowLongPtrW
MsgWaitForMultipleObjectsEx
SetWindowLongW
IsMenu
GetMenu
UnregisterTouchWindow
RegisterTouchWindow
GetCursorPos
OffsetRect
RegisterClipboardFormatW
IsClipboardFormatAvailable
PostQuitMessage
SetGestureConfig
PostMessageW
PeekMessageW
SetWindowTextW
ReleaseCapture
NotifyWinEvent
GetKeyState
MessageBoxW
MessageBeep
SetRect
EnableWindow
UpdateWindow
IsWindow
InvalidateRect
GetSystemMetrics
GetWindowRect
GetClientRect
GetSysColor
DestroyIcon
SendMessageW
RegisterWindowMessageW
GetDlgItem
CloseTouchInputHandle
CheckDlgButton
GetWindowDC
EnableScrollBar
GetUpdateRect
ValidateRect
CheckMenuItem
RedrawWindow
LoadMenuW
GetSubMenu
GetCaretPos
SetClassLongPtrW
LoadStringW
IsWindowVisible
SendInput
SetCursorPos
ShowCursor

mfc42u

ord3889
ord1035
ord3894
ord1055
ord650
ord1931
ord613
ord2133
ord6379
ord3639
ord1036
ord1726
ord4589
ord1029
ord2132
ord2129
ord2138
ord1387
ord4609
ord5700
ord4860
ord6216
ord4741
ord3743
ord822
ord408
ord904
ord2105
ord2087
ord311
ord827
ord4295
ord4294
ord312
ord1859
ord1945
ord4554
ord321
ord837
ord1719
ord3748
ord3753
ord4705
ord6050
ord1584
ord5670
ord6162
ord3744
ord4238
ord1353
ord4234
ord2793
ord6540
ord823
ord307
ord4952
ord4436
ord6691
ord1650
ord2449
ord3820
ord2595
ord4544
ord2258
ord6817
ord4612
ord6887
ord6886
ord620
ord1040
ord626
ord525
ord984
ord3638
ord6455
ord6457
ord286
ord1574
ord4473
ord2629
ord624
ord6102
ord4623
ord5467
ord6632
ord4770
ord4988
ord4371
ord3164
ord4077
ord4083
ord4082
ord3046
ord3166
ord3052
ord3366
ord3231
ord4815
ord3362
ord3243
ord3049
ord5699
ord2140
ord2455
ord5680
ord1736
ord5484
ord3933
ord6814
ord2060
ord2670
ord4789
ord5229
ord4017
ord5701
ord4694
ord6806
ord5586
ord2399
ord5656
ord4749
ord1778
ord4365
ord6440
ord1723
ord1716
ord5506
ord2404
ord4422
ord5838
ord4345
ord4706
ord2535
ord6556
ord2596
ord2408
ord2427
ord3830
ord3790
ord3740
ord1869
ord445
ord940
ord2779
ord1379
ord6880
ord1483
ord5933
ord1463
ord371
ord877
ord1126
ord5986
ord3222
ord3780
ord367
ord5602
ord6762
ord336
ord851
ord1646
ord1647
ord6127
ord2461
ord6135
ord2420
ord1677
ord2676
ord1471
ord4548
ord1566
ord6021
ord1122
ord4602
ord2846
ord1428
ord1838
ord2925
ord1561
ord1425
ord314
ord2516
ord852
ord3742
ord5949
ord337
ord2379
ord2319
ord2381
ord2315
ord2384
ord2311
ord2781
ord2975
ord2979
ord5887
ord4557
ord3177
ord6614
ord5077
ord1787
ord5245
ord3003
ord6767
ord2318
ord2376
ord4344
ord3180
ord1781
ord3761
ord4771
ord2457
ord5683
ord5702
ord6812
ord5663
ord4752
ord1777
ord6437
ord2517
ord5406
ord4721
ord5687
ord6018
ord5730
ord2857
ord5712
ord3535
ord3867
ord1067
ord665
ord996
ord3408
ord2122
ord2898
ord3879
ord2900
ord6559
ord6238
ord2463
ord4127
ord3861
ord2084
ord4375
ord310
ord826
ord4650
ord660
ord1064
ord2906
ord6130
ord6131
ord303
ord6123
ord6609
ord4297
ord6138
ord6511
ord1950
ord4599
ord1537
ord2393
ord6577
ord4187
ord4014
ord6520
ord3936
ord6351
ord3099
ord3647
ord1441
ord2394
ord3440
ord5807
ord1977
ord4565
ord387
ord890
ord2100
ord2903
ord4806
ord4784
ord5468
ord5175
ord4774
ord5674
ord1674
ord2671
ord5704
ord5659
ord4364
ord4461
ord2919
ord2920
ord3536
ord5839
ord1316
ord5420
ord3481
ord4633
ord4817
ord5524
ord5521
ord3141
ord2405
ord2750
ord3920
ord4580
ord540
ord992
ord5232
ord1903
ord4690
ord6474
ord994
ord2802
ord4780
ord5682
ord1734
ord3932
ord5662
ord4405
ord5366
ord5369
ord4879
ord4884
ord4881
ord4899
ord4901
ord4886
ord5282
ord5090
ord4682
ord5496
ord4891
ord5288
ord4712
ord5297
ord4945
ord4946
ord1730
ord5649
ord4867
ord528
ord3862
ord1893
ord4578
ord4979
ord5519
ord4288
ord504
ord977
ord5215
ord5252
ord5362
ord5894
ord5989
ord1753
ord1442
ord6777
ord6078
ord1498
ord2513
ord2801
ord1284
ord5905
ord6465
ord5021
ord1559
ord287
ord2756
ord2754
ord2757
ord506
ord979
ord2272
ord292
ord815
ord1972
ord1992
ord6828
ord1301
ord2015
ord1296
ord5622
ord2417
ord3282
ord3601
ord5431
ord6612
ord4844
ord4982
ord4977
ord4981
ord4777
ord4984
ord3365
ord6586
ord4732
ord4769
ord5666
ord6769
ord3147
ord3142
ord5064
ord3353
ord3994
ord3595
ord1361
ord5956
ord3672
ord5436
ord3556
ord3059
ord4989
ord5871
ord4762
ord5408
ord4964
ord3191
ord5432
ord4841
ord5410
ord5317
ord5001
ord4870
ord2195
ord2448
ord5354
ord3270
ord5216
ord5253
ord5363
ord5047
ord5052
ord4797
ord1536
ord5037
ord4849
ord4124
ord5441
ord5402
ord5269
ord5309
ord4862
ord5582
ord6610
ord4759
ord5093
ord524
ord3675
ord2530
ord6136
ord5068
ord5306
ord4947
ord4703
ord4598
ord4976
ord659
ord1063
ord507
ord3783
ord971
ord1447
ord6510
ord1505
ord598
ord6538
ord1337
ord2036
ord6056
ord6055
ord5870
ord1287
ord2565
ord2752
ord6813
ord4368
ord5065
ord3468
ord1499
ord4970
ord3280
ord3593
ord1264
ord1286
ord4521
ord1388
ord6888
ord2939
ord3916
ord4983
ord6053
ord5711
ord5724
ord5722
ord2412
ord4191
ord6071

msvcrt

__dllonexit
_unlock
_lock
sqrtf
_onexit
sinf
memcmp
memset
memmove
??1type_info@@UEAA@XZ
tanf
memcpy
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
isdigit
isalnum
abort
memchr
tolower
isspace
__uncaught_exception
__crtGetStringTypeW
__crtLCMapStringW
__mb_cur_max
__pctype_func
___lc_codepage_func
___lc_handle_func
_errno
___mb_cur_max_func
setlocale
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
malloc
vswprintf_s
exit
wcsncmp
_wsetlocale
_wcsdup
__wargv
__argc
_wcsicmp
__C_specific_handler
rand
_beginthreadex
_wtoi
_wsplitpath_s
strcspn
localeconv
sprintf_s
_strtoi64
_strtoui64
_purecall
free
memmove_s
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
memcpy_s
_vsnwprintf
__CxxFrameHandler3
swprintf_s
wcscpy_s
wcstoul
vsprintf_s
__RTDynamicCast
atan2
atan2f
cosf
wcscmp

oleaut32

SysFreeString
SafeArrayCopy
SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreateVector
VarDecFromR8
VarR8FromDec
VariantClear
VariantInit
VarDecFromI4
SysAllocString

api-ms-win-core-com-l1-1-0

PropVariantCopy
CreateStreamOnHGlobal
CLSIDFromString
CoInitializeEx
CoTaskMemFree
CoUninitialize
CoGetInterfaceAndReleaseStream
CoReleaseMarshalData
CoMarshalInterThreadInterfaceInStream
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoTaskMemAlloc
CoCreateGuid
PropVariantClear
FreePropVariantArray
CoWaitForMultipleHandles

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-synch-l1-1-0

CreateEventExW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
CreateMutexW

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
Sleep
WakeAllConditionVariable

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
TerminateProcess
CreateThread

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemTime

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
SizeofResource
LockResource
LoadResource

api-ms-win-core-file-l1-1-0

GetTempFileNameW
CompareFileTime

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegGetValueW
RegEnumKeyExW
RegEnumValueW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-eventing-provider-l1-1-0

EventSetInformation

comctl32

ord345
ImageList_GetImageCount
ImageList_Remove
ImageList_ReplaceIcon
ImageList_Draw
ord381

comdlg32

GetOpenFileNameW
GetFileTitleW

ole32

WriteClassStg
OleGetClipboard
ReleaseStgMedium
CoInitialize
WriteFmtUserTypeStg

propsys

PropVariantToString
PSGetPropertyDescriptionListFromString
PropVariantToUInt32
PropVariantToUInt32WithDefault
PropVariantToStringVectorAlloc

shell32

SHGetKnownFolderPath
SHCreateItemFromParsingName
SHCreateShellItemArrayFromShellItem
SHBindToParent
SHCreateShellItem
ShellAboutW
ord155
ord75
CommandLineToArgvW
ShellExecuteExW
ord165
SHGetSpecialFolderPathW
SHAddToRecentDocs
DragFinish
DragQueryFileW
SHParseDisplayName
SHChangeNotify

shlwapi

PathFindFileNameW
PathFileExistsW
PathStripPathW
ord12
PathCombineW

winmm

timeGetTime

dismapi

DismOpenSession
DismRemoveCapability
DismCloseSession
DismShutdown
DismInitialize

api-ms-win-core-featurestaging-l1-1-0

RecordFeatureUsage
SubscribeFeatureStateChangeNotification
UnsubscribeFeatureStateChangeNotification

Sections

.text
Size: 620KB - Virtual size: 620KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 233KB - Virtual size: 233KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ad9649a74db256ecab874bd416c46a98

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

oleaut32

api-ms-win-core-com-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

rpcrt4

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-localization-l2-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-eventing-provider-l1-1-0

comctl32

comdlg32

ole32

propsys

shell32

shlwapi

winmm

dismapi

api-ms-win-core-featurestaging-l1-1-0

Sections

.text Size: 620KB - Virtual size: 620KB

.rdata Size: 233KB - Virtual size: 233KB

.data Size: 19KB - Virtual size: 32KB

.pdata Size: 26KB - Virtual size: 26KB

.didat Size: 1024B - Virtual size: 864B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 620KB - Virtual size: 620KB

.rdata
Size: 233KB - Virtual size: 233KB

.data
Size: 19KB - Virtual size: 32KB

.pdata
Size: 26KB - Virtual size: 26KB

.didat
Size: 1024B - Virtual size: 864B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 11KB - Virtual size: 10KB