Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-09-2022 13:31
Static task
static1
Behavioral task
behavioral1
Sample
paint.net.4.3.12.install.x64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
paint.net.4.3.12.install.x64.exe
Resource
win10v2004-20220812-en
General
-
Target
paint.net.4.3.12.install.x64.exe
-
Size
61MB
-
MD5
c355a5829ac1552e152310346918af9f
-
SHA1
751e2f9b513dc5489912a4d9ab9e64a7d78eeff4
-
SHA256
fc8d19614f448f5f345219f87f947813e14608b61cdd2812b36a4d1bfc4b2fc0
-
SHA512
72190d20b98f854c1b2135d045aad4949c19f0211f6bbfd8f824c6369f9841a5d0c13a48606fe63ce4cf6591780fb59db558c3b46b31118398e380da006980eb
-
SSDEEP
1572864:E1tiSf6SCXKvQK5G4ULJgJsFN82imwmf93lz/iExUI+OM:0t3Qy4MQi6RlcK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SetupShim.exeSetupDownloader.exepid process 1624 SetupShim.exe 1524 SetupDownloader.exe -
Loads dropped DLL 5 IoCs
Processes:
paint.net.4.3.12.install.x64.exeSetupShim.exepid process 1488 paint.net.4.3.12.install.x64.exe 1488 paint.net.4.3.12.install.x64.exe 1488 paint.net.4.3.12.install.x64.exe 1488 paint.net.4.3.12.install.x64.exe 1624 SetupShim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
paint.net.4.3.12.install.x64.exeSetupShim.exedescription pid process target process PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1488 wrote to memory of 1624 1488 paint.net.4.3.12.install.x64.exe SetupShim.exe PID 1624 wrote to memory of 1524 1624 SetupShim.exe SetupDownloader.exe PID 1624 wrote to memory of 1524 1624 SetupShim.exe SetupDownloader.exe PID 1624 wrote to memory of 1524 1624 SetupShim.exe SetupDownloader.exe PID 1624 wrote to memory of 1524 1624 SetupShim.exe SetupDownloader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe"C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe"C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe" /suppressReboot2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe" /suppressReboot3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exeFilesize
136KB
MD52c662cbb7fcd4bcc2f9dab3637f77a97
SHA13a627070f1d9249a7e864eb45913c93eca573ecf
SHA2564c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517
SHA5129452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\AsyncBridge.dllFilesize
23KB
MD546a3b9624ee066c56d2173019dbf48ac
SHA15f270fcb98cf07a291ba06ff50bdda8f8b961820
SHA256588b5c20b690b6756f0f2a65146d02fec66058db698a96694c061c10a33a7c9d
SHA51220f6d76605094ba16e460697194c21a7f0cbb49b4074330d7a8698c0fd2a03d0255839870723ba79cb5055ac07ce8c713f3ccf02a7a8b8beb11cb246a7ccb338
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\Newtonsoft.Json.dllFilesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.Configuration.jsonFilesize
136B
MD52baf5f08f0f9dae45b6b35fb51c507e0
SHA16570a08aa237acfdfa0d7605a9e29367661ea31e
SHA2564d65d0c09cc8e9a31fad0da411184f15affc3bfffe5d030a5c4e16e09edf4642
SHA512cdc74e907458b66d0833933b4e4fd2f3d00ee449eefc0570d04fa49b9a3be54dc44856a7925465b7ccb2ac28022aee70cba5143636802bd95582976448a3c7da
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exeFilesize
271KB
MD527a7a27129de6f3989cdf68e17bb94da
SHA1e00af46a1719a924dbfbff9b612f5d203f036e89
SHA2562697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78
SHA51219724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exeFilesize
271KB
MD527a7a27129de6f3989cdf68e17bb94da
SHA1e00af46a1719a924dbfbff9b612f5d203f036e89
SHA2562697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78
SHA51219724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe.configFilesize
523B
MD510feb20cbb33b60ba67c343584ff3385
SHA15cd23737e5f5aff246efb613b73568a10d146888
SHA2563ddc67ffba50bad291526c9bae9bb45d12a70d6abe87bda4ac357cd73aa5420a
SHA51289e72a5ab80a72d8344af5d3c2bc06e10da60be33ab043cae73cbdb039c6e6da80450f4c92dc07690281eb5a7505fdd39500d03597b5dd393683c9aee635f920
-
C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\System.Threading.dllFilesize
130KB
MD5a99d956fe2e32a78930c8e9bcea3fbe4
SHA1edce5bb617263c87e6ef496afaaaaaa61a7f756e
SHA256ef1e1cbcadd43bdf347ddfe10cf62973b9f20be569dd45f5e6ff1cdd0dd1bd81
SHA5121a6f238259b174e27ac1949d27296022511aea3821b7b14c7b4a667114040c99bfa74ce9aaa31013f39a68140de8963bf4c9d4643c51871b780610cb5efb790d
-
\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exeFilesize
136KB
MD52c662cbb7fcd4bcc2f9dab3637f77a97
SHA13a627070f1d9249a7e864eb45913c93eca573ecf
SHA2564c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517
SHA5129452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d
-
\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exeFilesize
136KB
MD52c662cbb7fcd4bcc2f9dab3637f77a97
SHA13a627070f1d9249a7e864eb45913c93eca573ecf
SHA2564c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517
SHA5129452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d
-
\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exeFilesize
136KB
MD52c662cbb7fcd4bcc2f9dab3637f77a97
SHA13a627070f1d9249a7e864eb45913c93eca573ecf
SHA2564c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517
SHA5129452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d
-
\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exeFilesize
136KB
MD52c662cbb7fcd4bcc2f9dab3637f77a97
SHA13a627070f1d9249a7e864eb45913c93eca573ecf
SHA2564c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517
SHA5129452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d
-
\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exeFilesize
271KB
MD527a7a27129de6f3989cdf68e17bb94da
SHA1e00af46a1719a924dbfbff9b612f5d203f036e89
SHA2562697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78
SHA51219724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec
-
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1524-68-0x00000000003C0000-0x00000000003E8000-memory.dmpFilesize
160KB
-
memory/1524-70-0x0000000000450000-0x00000000004D0000-memory.dmpFilesize
512KB
-
memory/1524-66-0x0000000000AF0000-0x0000000000B38000-memory.dmpFilesize
288KB
-
memory/1524-72-0x000007FEFC431000-0x000007FEFC433000-memory.dmpFilesize
8KB
-
memory/1524-63-0x0000000000000000-mapping.dmp
-
memory/1524-74-0x0000000000A70000-0x0000000000A7C000-memory.dmpFilesize
48KB
-
memory/1524-75-0x000000001B7A6000-0x000000001B7C5000-memory.dmpFilesize
124KB
-
memory/1524-76-0x000000001B7A6000-0x000000001B7C5000-memory.dmpFilesize
124KB
-
memory/1624-59-0x0000000000000000-mapping.dmp