Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12-02-2023 15:19
Static task
static1
Behavioral task
behavioral1
Sample
paint.net.5.0.1.install.anycpu.web.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
paint.net.5.0.1.install.anycpu.web.exe
Resource
win10v2004-20220812-en
General
-
Target
paint.net.5.0.1.install.anycpu.web.exe
-
Size
1MB
-
MD5
29d86c3800325e8db85d559a126958b0
-
SHA1
6a06773bd7b76103c231dad8bb751d5db157c2e7
-
SHA256
de7659f337aa53a731d4c89f5a331869327280325a52c80db11a5829686c09d0
-
SHA512
5b9053151acfbf7584438fb1436fbbbc7ea07701c5d20e3ae9bac488252b0896cb18e9d5d4f5762a6282f60810400c5bc734598af0151f1594ad307cf95b2521
-
SSDEEP
24576:HrYYYYkWYCzwLhA29pQyIbsIC0BuDgRtIyxwNJ:HrYYYYkvLhA29pmZDj0yxOJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SetupShim.exepid process 2008 SetupShim.exe -
Loads dropped DLL 4 IoCs
Processes:
paint.net.5.0.1.install.anycpu.web.exepid process 2024 paint.net.5.0.1.install.anycpu.web.exe 2024 paint.net.5.0.1.install.anycpu.web.exe 2024 paint.net.5.0.1.install.anycpu.web.exe 2024 paint.net.5.0.1.install.anycpu.web.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
paint.net.5.0.1.install.anycpu.web.exedescription pid process target process PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe PID 2024 wrote to memory of 2008 2024 paint.net.5.0.1.install.anycpu.web.exe SetupShim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.1.install.anycpu.web.exe"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.1.install.anycpu.web.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exe"C:\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exe" /suppressReboot2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exeFilesize
136KB
MD5f82afdf72718f01f8224e1741374ac49
SHA1440b52448536d2887cac23de90b0f282291f9d65
SHA256606719ec98b05a8b4d793dd8308513df55bce978562b5c25c497149bcc79ae7e
SHA51298cfb90b18f7bf37e6effe72d7177f394cc65a4d08144f21e96ae7e44047bfb418c4ed3683c49e129a5588b59c1aaef78535c5ee829ec1f399ee68a25c4d254d
-
\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exeFilesize
136KB
MD5f82afdf72718f01f8224e1741374ac49
SHA1440b52448536d2887cac23de90b0f282291f9d65
SHA256606719ec98b05a8b4d793dd8308513df55bce978562b5c25c497149bcc79ae7e
SHA51298cfb90b18f7bf37e6effe72d7177f394cc65a4d08144f21e96ae7e44047bfb418c4ed3683c49e129a5588b59c1aaef78535c5ee829ec1f399ee68a25c4d254d
-
\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exeFilesize
136KB
MD5f82afdf72718f01f8224e1741374ac49
SHA1440b52448536d2887cac23de90b0f282291f9d65
SHA256606719ec98b05a8b4d793dd8308513df55bce978562b5c25c497149bcc79ae7e
SHA51298cfb90b18f7bf37e6effe72d7177f394cc65a4d08144f21e96ae7e44047bfb418c4ed3683c49e129a5588b59c1aaef78535c5ee829ec1f399ee68a25c4d254d
-
\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exeFilesize
136KB
MD5f82afdf72718f01f8224e1741374ac49
SHA1440b52448536d2887cac23de90b0f282291f9d65
SHA256606719ec98b05a8b4d793dd8308513df55bce978562b5c25c497149bcc79ae7e
SHA51298cfb90b18f7bf37e6effe72d7177f394cc65a4d08144f21e96ae7e44047bfb418c4ed3683c49e129a5588b59c1aaef78535c5ee829ec1f399ee68a25c4d254d
-
\Users\Admin\AppData\Local\Temp\7zS8E74D81C\SetupShim.exeFilesize
136KB
MD5f82afdf72718f01f8224e1741374ac49
SHA1440b52448536d2887cac23de90b0f282291f9d65
SHA256606719ec98b05a8b4d793dd8308513df55bce978562b5c25c497149bcc79ae7e
SHA51298cfb90b18f7bf37e6effe72d7177f394cc65a4d08144f21e96ae7e44047bfb418c4ed3683c49e129a5588b59c1aaef78535c5ee829ec1f399ee68a25c4d254d
-
memory/2008-59-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB