Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-02-2023 01:42
Static task
static1
Behavioral task
behavioral1
Sample
paint.net.5.0.2.install.anycpu.web.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
paint.net.5.0.2.install.anycpu.web.exe
Resource
win10v2004-20230220-en
General
-
Target
paint.net.5.0.2.install.anycpu.web.exe
-
Size
1.1MB
-
MD5
6a5e8c6eec9ab6ed7088bc35739e52d5
-
SHA1
be77e05970628d62c65b0bd609ef7ab5bb705c8f
-
SHA256
9d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
-
SHA512
e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
-
SSDEEP
24576:7rYYYYkWYCzwLhA29pQCo7jIC0BuDgwf0z:7rYYYYkvLhA29piUDjwe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SetupShim.exepid process 768 SetupShim.exe -
Loads dropped DLL 4 IoCs
Processes:
paint.net.5.0.2.install.anycpu.web.exepid process 1760 paint.net.5.0.2.install.anycpu.web.exe 1760 paint.net.5.0.2.install.anycpu.web.exe 1760 paint.net.5.0.2.install.anycpu.web.exe 1760 paint.net.5.0.2.install.anycpu.web.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
paint.net.5.0.2.install.anycpu.web.exedescription pid process target process PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 1760 wrote to memory of 768 1760 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exe" /suppressReboot2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
\Users\Admin\AppData\Local\Temp\7zS0E6DEA1C\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb