General
-
Target
paint.net.5.0.2.install.anycpu.web.zip
-
Size
734KB
-
Sample
230312-cxtcsaed4t
-
MD5
e89beda41843c048e1ac4272433daa6c
-
SHA1
24137615dd6eaa6b465aae19966622f1c6be85c2
-
SHA256
ed96caac4a2ea5f3c8a295008cde2cafa667820254ae80a1cd87a9a494f0c739
-
SHA512
30b2c62cf1468afeb8ee8578dc7ccdf5413443bb1a010fec1813c576678a178349e66e4d6a0d00c209102ab460f33e7bb031e0ff1d686a77bc05dde6be2efb51
-
SSDEEP
12288:kR9mWOYb51N5r+pA9bvWlJ20xg7HWlAq3MCYLuiye+sCC2IcxM8uIcxff:kuYb51v+kzMJOYAqMCYLu7U6lyf
Malware Config
Targets
-
-
Target
paint.net.5.0.2.install.anycpu.web.exe
-
Size
1MB
-
MD5
6a5e8c6eec9ab6ed7088bc35739e52d5
-
SHA1
be77e05970628d62c65b0bd609ef7ab5bb705c8f
-
SHA256
9d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
-
SHA512
e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
-
SSDEEP
24576:7rYYYYkWYCzwLhA29pQCo7jIC0BuDgwf0z:7rYYYYkvLhA29piUDjwe
Score9/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Discovery
Query Registry
4System Information Discovery
5Peripheral Device Discovery
2Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Registry Run Keys / Startup Folder
1Privilege Escalation