Behavioral Report

Analysis

max time kernel
125s
max time network
31s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
28-02-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.2.install.anycpu.web.exe
Size

1MB
MD5

6a5e8c6eec9ab6ed7088bc35739e52d5
SHA1

be77e05970628d62c65b0bd609ef7ab5bb705c8f
SHA256

9d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
SHA512

e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
SSDEEP

24576:7rYYYYkWYCzwLhA29pQCo7jIC0BuDgwf0z:7rYYYYkvLhA29piUDjwe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SetupShim.exe

pid process

572 SetupShim.exe

pid	process
572	SetupShim.exe

Loads dropped DLL 4 IoCs

Processes:

paint.net.5.0.2.install.anycpu.web.exe

pid	process
1164	paint.net.5.0.2.install.anycpu.web.exe
1164	paint.net.5.0.2.install.anycpu.web.exe
1164	paint.net.5.0.2.install.anycpu.web.exe
1164	paint.net.5.0.2.install.anycpu.web.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SetupShim.exe

pid process

572 SetupShim.exe

pid	process
572	SetupShim.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

paint.net.5.0.2.install.anycpu.web.exe

description	pid	process	target process
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe
PID 1164 wrote to memory of 572	1164	paint.net.5.0.2.install.anycpu.web.exe	SetupShim.exe

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.2.install.anycpu.web.exe"
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe" /suppressReboot
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
291B

MD5
a08ed8f2fa650064c89e9a14a6376445

SHA1
a862264c32f9ada366dd2fc7af96a8af07b843b2

SHA256
caccdae3fd834042000005396b190e369b26e40ca3bac433fd2c554a9b294ebe

SHA512
00e91f36e555fa8c298a7ddf9f64541a878cb985002efdb31f727343bfa3667c1ae3f4ece28aa835b2c7681922ab04ac95cd7a6bfeee3dd1f374481ccb8a9f8e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC8497F2C\SetupShim.exe
Filesize
136KB

MD5
db51c903838632898319669eb2271114

SHA1
25fa7935e834e56f7757321da7f84aad8d587eee

SHA256
babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4

SHA512
a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb

Download Submit