Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2022 13:31

General

  • Target

    paint.net.4.3.12.install.x64.exe

  • Size

    61MB

  • MD5

    c355a5829ac1552e152310346918af9f

  • SHA1

    751e2f9b513dc5489912a4d9ab9e64a7d78eeff4

  • SHA256

    fc8d19614f448f5f345219f87f947813e14608b61cdd2812b36a4d1bfc4b2fc0

  • SHA512

    72190d20b98f854c1b2135d045aad4949c19f0211f6bbfd8f824c6369f9841a5d0c13a48606fe63ce4cf6591780fb59db558c3b46b31118398e380da006980eb

  • SSDEEP

    1572864:E1tiSf6SCXKvQK5G4ULJgJsFN82imwmf93lz/iExUI+OM:0t3Qy4MQi6RlcK

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\paint.net.4.3.12.install.x64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe" /suppressReboot
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe
        "x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe" /suppressReboot
        3⤵
        • Executes dropped EXE
        PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
    Filesize

    136KB

    MD5

    2c662cbb7fcd4bcc2f9dab3637f77a97

    SHA1

    3a627070f1d9249a7e864eb45913c93eca573ecf

    SHA256

    4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

    SHA512

    9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\AsyncBridge.dll
    Filesize

    23KB

    MD5

    46a3b9624ee066c56d2173019dbf48ac

    SHA1

    5f270fcb98cf07a291ba06ff50bdda8f8b961820

    SHA256

    588b5c20b690b6756f0f2a65146d02fec66058db698a96694c061c10a33a7c9d

    SHA512

    20f6d76605094ba16e460697194c21a7f0cbb49b4074330d7a8698c0fd2a03d0255839870723ba79cb5055ac07ce8c713f3ccf02a7a8b8beb11cb246a7ccb338

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\Newtonsoft.Json.dll
    Filesize

    495KB

    MD5

    283544d7f0173e6b5bfbfbc23d1c2fb0

    SHA1

    3e33b2ef50dac60b7411a84779d61bdb0ed9d673

    SHA256

    9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

    SHA512

    150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.Configuration.json
    Filesize

    136B

    MD5

    2baf5f08f0f9dae45b6b35fb51c507e0

    SHA1

    6570a08aa237acfdfa0d7605a9e29367661ea31e

    SHA256

    4d65d0c09cc8e9a31fad0da411184f15affc3bfffe5d030a5c4e16e09edf4642

    SHA512

    cdc74e907458b66d0833933b4e4fd2f3d00ee449eefc0570d04fa49b9a3be54dc44856a7925465b7ccb2ac28022aee70cba5143636802bd95582976448a3c7da

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe
    Filesize

    271KB

    MD5

    27a7a27129de6f3989cdf68e17bb94da

    SHA1

    e00af46a1719a924dbfbff9b612f5d203f036e89

    SHA256

    2697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78

    SHA512

    19724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe
    Filesize

    271KB

    MD5

    27a7a27129de6f3989cdf68e17bb94da

    SHA1

    e00af46a1719a924dbfbff9b612f5d203f036e89

    SHA256

    2697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78

    SHA512

    19724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe.config
    Filesize

    523B

    MD5

    10feb20cbb33b60ba67c343584ff3385

    SHA1

    5cd23737e5f5aff246efb613b73568a10d146888

    SHA256

    3ddc67ffba50bad291526c9bae9bb45d12a70d6abe87bda4ac357cd73aa5420a

    SHA512

    89e72a5ab80a72d8344af5d3c2bc06e10da60be33ab043cae73cbdb039c6e6da80450f4c92dc07690281eb5a7505fdd39500d03597b5dd393683c9aee635f920

  • C:\Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\System.Threading.dll
    Filesize

    130KB

    MD5

    a99d956fe2e32a78930c8e9bcea3fbe4

    SHA1

    edce5bb617263c87e6ef496afaaaaaa61a7f756e

    SHA256

    ef1e1cbcadd43bdf347ddfe10cf62973b9f20be569dd45f5e6ff1cdd0dd1bd81

    SHA512

    1a6f238259b174e27ac1949d27296022511aea3821b7b14c7b4a667114040c99bfa74ce9aaa31013f39a68140de8963bf4c9d4643c51871b780610cb5efb790d

  • \Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
    Filesize

    136KB

    MD5

    2c662cbb7fcd4bcc2f9dab3637f77a97

    SHA1

    3a627070f1d9249a7e864eb45913c93eca573ecf

    SHA256

    4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

    SHA512

    9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

  • \Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
    Filesize

    136KB

    MD5

    2c662cbb7fcd4bcc2f9dab3637f77a97

    SHA1

    3a627070f1d9249a7e864eb45913c93eca573ecf

    SHA256

    4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

    SHA512

    9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

  • \Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
    Filesize

    136KB

    MD5

    2c662cbb7fcd4bcc2f9dab3637f77a97

    SHA1

    3a627070f1d9249a7e864eb45913c93eca573ecf

    SHA256

    4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

    SHA512

    9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

  • \Users\Admin\AppData\Local\Temp\7zS0D55E54C\SetupShim.exe
    Filesize

    136KB

    MD5

    2c662cbb7fcd4bcc2f9dab3637f77a97

    SHA1

    3a627070f1d9249a7e864eb45913c93eca573ecf

    SHA256

    4c4acdc57c4e55cfb4215e8f5fe7bd3df685139402d7098a4d331ca76b6fd517

    SHA512

    9452b522f576ba0918b734c870d5cbba6d3b1b8fff06fc8422181389a8a60b009d8d4c79e98f6766cad1f67389e15a39af12ea95d591b8e69202cb7097d63f0d

  • \Users\Admin\AppData\Local\Temp\7zS0D55E54C\x64\SetupDownloader\SetupDownloader.exe
    Filesize

    271KB

    MD5

    27a7a27129de6f3989cdf68e17bb94da

    SHA1

    e00af46a1719a924dbfbff9b612f5d203f036e89

    SHA256

    2697f8e203bb29a30f75efd51ea2967f88bb9167dcfe214da177fa0899bbdd78

    SHA512

    19724354eb9a41210473b1d9c09ddceb49cd63ff203485e02f86463690a5d807fe8184cb2cbd08e7dd6ea00166a8d3c1248cfa20ed0afea5feff955bc232b4ec

  • memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp
    Filesize

    8KB

  • memory/1524-68-0x00000000003C0000-0x00000000003E8000-memory.dmp
    Filesize

    160KB

  • memory/1524-70-0x0000000000450000-0x00000000004D0000-memory.dmp
    Filesize

    512KB

  • memory/1524-66-0x0000000000AF0000-0x0000000000B38000-memory.dmp
    Filesize

    288KB

  • memory/1524-72-0x000007FEFC431000-0x000007FEFC433000-memory.dmp
    Filesize

    8KB

  • memory/1524-63-0x0000000000000000-mapping.dmp
  • memory/1524-74-0x0000000000A70000-0x0000000000A7C000-memory.dmp
    Filesize

    48KB

  • memory/1524-75-0x000000001B7A6000-0x000000001B7C5000-memory.dmp
    Filesize

    124KB

  • memory/1524-76-0x000000001B7A6000-0x000000001B7C5000-memory.dmp
    Filesize

    124KB

  • memory/1624-59-0x0000000000000000-mapping.dmp