79ba9f22e360abcd48c0c806213f6a2ec29a8830fd20e2a185f9218e239fd874

Analysis

max time kernel
14s
max time network
21s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2023 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.7.install.x64.exe
Size

62.3MB
MD5

6f86aae6d0ae5f9528dbb3f0e79c6b18
SHA1

b08e7584742aa1bfb0b4392137a5f5d5054c0407
SHA256

66699c704e29cddea138939d15975d148c5579921d2644436e6288fd1ed952d6
SHA512

e8188e775c6983c1486b0fbf12c816a8d0782ced4e28d2a6b70335998485a28689bbbe2fc0bb9a9f90f9b7c3607cadaaf54cd8e5fb2325ad99bb38a6be7e20eb
SSDEEP

1572864:mXR4eDZdsOA4k35+yJ+Tmz9OXBVUp3W/Zl8D:mB1e4q1JZzZp8Zl8D

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SetupShim.exe

pid process

1832 SetupShim.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SetupShim.exe

pid process

1832 SetupShim.exe

pid	process
1832	SetupShim.exe

pid	process
1832	SetupShim.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

paint.net.5.0.7.install.x64.exe

description	pid	process	target process
PID 1888 wrote to memory of 1832	1888	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1888 wrote to memory of 1832	1888	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1888 wrote to memory of 1832	1888	paint.net.5.0.7.install.x64.exe	SetupShim.exe

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\7zS067839B7\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS067839B7\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS067839B7\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS067839B7\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS067839B7\x64\PaintDotNet.Strings.3.co.resources
Filesize
178KB

MD5
75323dd2cf1cb773371b45f8df4c1d8b

SHA1
958760f83c75ba6cc61bd7e76e39052709057e53

SHA256
b7d22d4279550225e72d542c1df8c4b2549b17a079cdadb964fb6c1f3b3ca002

SHA512
f0663bdfef779ae992fc8d6ebd9913380cfc4eb4220962408accee095558a0b4c4501174ab3720763290097b999c17cce1bb566a05a32b9ed0ecd494e72d3cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
291B

MD5
a08ed8f2fa650064c89e9a14a6376445

SHA1
a862264c32f9ada366dd2fc7af96a8af07b843b2

SHA256
caccdae3fd834042000005396b190e369b26e40ca3bac433fd2c554a9b294ebe

SHA512
00e91f36e555fa8c298a7ddf9f64541a878cb985002efdb31f727343bfa3667c1ae3f4ece28aa835b2c7681922ab04ac95cd7a6bfeee3dd1f374481ccb8a9f8e

Download Submit