a1610aadbe46ecc5edaab820bb734e3a3e96a69fe143777e7a03d7543fa99b19

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.6.install.anycpu.web.exe
Size

1.1MB
MD5

ad52908c0129162b12c9ac3497032e7c
SHA1

11c2912e94b15c9fc28ce462a62bbbd2bb63fd54
SHA256

39211d308d7b2cf9a73f2fd86a3c6b0bddfb4aa1e07e91760bb1d34e045572b5
SHA512

bc3958687a6b9639bbddb07ea8c684dc2ccd210d7c04bed600c8598d1c3d2d3fdad2e23e9f51ec550224b1b9ecf08c48ae637feab5f23638d8a48d76a3230388
SSDEEP

24576:KcYYYYkKmCi9OVPcxWoxdIC0BuDgocCX65T:KcYYYYksi9OVPQhSDjok5T

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SetupShim.exe

pid process

2020 SetupShim.exe

pid	process
2020	SetupShim.exe

Loads dropped DLL 4 IoCs

Processes:

paint.net.5.0.6.install.anycpu.web.exe

pid	process
1048	paint.net.5.0.6.install.anycpu.web.exe
1048	paint.net.5.0.6.install.anycpu.web.exe
1048	paint.net.5.0.6.install.anycpu.web.exe
1048	paint.net.5.0.6.install.anycpu.web.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

paint.net.5.0.6.install.anycpu.web.exe

description	pid	process	target process
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe
PID 1048 wrote to memory of 2020	1048	paint.net.5.0.6.install.anycpu.web.exe	SetupShim.exe

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.6.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.6.install.anycpu.web.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
291B

MD5
a08ed8f2fa650064c89e9a14a6376445

SHA1
a862264c32f9ada366dd2fc7af96a8af07b843b2

SHA256
caccdae3fd834042000005396b190e369b26e40ca3bac433fd2c554a9b294ebe

SHA512
00e91f36e555fa8c298a7ddf9f64541a878cb985002efdb31f727343bfa3667c1ae3f4ece28aa835b2c7681922ab04ac95cd7a6bfeee3dd1f374481ccb8a9f8e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8141E56C\SetupShim.exe
Filesize
137KB

MD5
583f2dbfc70e9d21bac97ee8c2cd2f9c

SHA1
1ab837e3da7cec7ee167e313c868715a60c32b68

SHA256
d4487ae1b8e5e1d0dbcbf833dfa93a33dc6fcf9451def518ed8c42e4ec3a18b5

SHA512
9ecfdc5518ff5bbb5e6afc995b65247c39caafadae0a7f3fe73fa0102c43e88b0095b58918e2df806c1f071c3d000f5fbfbea398d4046a2f50005f8761d56a8c

Download Submit