Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

paint.net.5.0.1.install.anycpu.web.exe
Size

1MB
Sample

230212-sqettaec31
MD5

29d86c3800325e8db85d559a126958b0
SHA1

6a06773bd7b76103c231dad8bb751d5db157c2e7
SHA256

de7659f337aa53a731d4c89f5a331869327280325a52c80db11a5829686c09d0
SHA512

5b9053151acfbf7584438fb1436fbbbc7ea07701c5d20e3ae9bac488252b0896cb18e9d5d4f5762a6282f60810400c5bc734598af0151f1594ad307cf95b2521
SSDEEP

24576:HrYYYYkWYCzwLhA29pQyIbsIC0BuDgRtIyxwNJ:HrYYYYkvLhA29pmZDj0yxOJ

Score

9^/10

coreentity discovery

Malware Config

Targets

- Target
  
  paint.net.5.0.1.install.anycpu.web.exe
- Size
  
  1MB
- MD5
  
  29d86c3800325e8db85d559a126958b0
- SHA1
  
  6a06773bd7b76103c231dad8bb751d5db157c2e7
- SHA256
  
  de7659f337aa53a731d4c89f5a331869327280325a52c80db11a5829686c09d0
- SHA512
  
  5b9053151acfbf7584438fb1436fbbbc7ea07701c5d20e3ae9bac488252b0896cb18e9d5d4f5762a6282f60810400c5bc734598af0151f1594ad307cf95b2521
- SSDEEP
  
  24576:HrYYYYkWYCzwLhA29pQyIbsIC0BuDgRtIyxwNJ:HrYYYYkvLhA29pmZDj0yxOJ
Score

9^/10

coreentity discovery
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Install Root Certificate

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

behavioral2

coreentitydiscovery