79ba9f22e360abcd48c0c806213f6a2ec29a8830fd20e2a185f9218e239fd874

Analysis

max time kernel
21s
max time network
19s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-07-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.7.install.x64.exe
Size

62.3MB
MD5

6f86aae6d0ae5f9528dbb3f0e79c6b18
SHA1

b08e7584742aa1bfb0b4392137a5f5d5054c0407
SHA256

66699c704e29cddea138939d15975d148c5579921d2644436e6288fd1ed952d6
SHA512

e8188e775c6983c1486b0fbf12c816a8d0782ced4e28d2a6b70335998485a28689bbbe2fc0bb9a9f90f9b7c3607cadaaf54cd8e5fb2325ad99bb38a6be7e20eb
SSDEEP

1572864:mXR4eDZdsOA4k35+yJ+Tmz9OXBVUp3W/Zl8D:mB1e4q1JZzZp8Zl8D

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SetupShim.exe

pid process

2340 SetupShim.exe

pid	process
2340	SetupShim.exe

Loads dropped DLL 4 IoCs

Processes:

paint.net.5.0.7.install.x64.exe

pid	process
1732	paint.net.5.0.7.install.x64.exe
1732	paint.net.5.0.7.install.x64.exe
1732	paint.net.5.0.7.install.x64.exe
1732	paint.net.5.0.7.install.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

paint.net.5.0.7.install.x64.exe

description	pid	process	target process
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe
PID 1732 wrote to memory of 2340	1732	paint.net.5.0.7.install.x64.exe	SetupShim.exe

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.x64.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe" /suppressReboot
2⤵
- Executes dropped EXE
PID:2340

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\x64\PaintDotNet.Strings.3.co.resources
Filesize
178KB

MD5
75323dd2cf1cb773371b45f8df4c1d8b

SHA1
958760f83c75ba6cc61bd7e76e39052709057e53

SHA256
b7d22d4279550225e72d542c1df8c4b2549b17a079cdadb964fb6c1f3b3ca002

SHA512
f0663bdfef779ae992fc8d6ebd9913380cfc4eb4220962408accee095558a0b4c4501174ab3720763290097b999c17cce1bb566a05a32b9ed0ecd494e72d3cd1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4C65D3C6\SetupShim.exe
Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit