a6b2f32c2116609ca28a1ccbe4a0f7d9c042700b6160885040e6123730ae4043

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/07/2023, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paint.net.5.0.7.install.anycpu.web.exe
Size

1.1MB
MD5

f4b2ce7c88db5ee4a2f5a9c7408ddaa3
SHA1

6e81fed3105eb5445fe39b32641b9e9b4bd55944
SHA256

a6b2f32c2116609ca28a1ccbe4a0f7d9c042700b6160885040e6123730ae4043
SHA512

93b91ce18f37e73e39ca17dd47a9666f2b57944394d9b9fb218e0f92893086b3400eb6053ef076347179c13bff41de11f95d6078dfc627700b23b3cc4e091e89
SSDEEP

24576:XcYYYYkKmCi9OVPcxyox8JT6F18UVvCl1q:XcYYYYksi9OVPQ18JTSTorq

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1284	SetupShim.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	paint.net.5.0.7.install.anycpu.web.exe
2032	paint.net.5.0.7.install.anycpu.web.exe
2032	paint.net.5.0.7.install.anycpu.web.exe
2032	paint.net.5.0.7.install.anycpu.web.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1284	SetupShim.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28
PID 2032 wrote to memory of 1284	2032	paint.net.5.0.7.install.anycpu.web.exe	28

C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.anycpu.web.exe
"C:\Users\Admin\AppData\Local\Temp\paint.net.5.0.7.install.anycpu.web.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe" /suppressReboot
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0F7FA096\SetupShim.exe

Filesize
137KB

MD5
c418df22a5b498845690f5e1b85af0ef

SHA1
70172d659ebc32aa9542f880df73e25b5e22a2eb

SHA256
3f480d7ad95c97fb742647a4adb89574ffce2de793b4f0ab06354a87bc9717ee

SHA512
27745774d2cf8c21d833c57d58858e27213dfa58726fa2c2436e0e56fe55006f8f43f63646c8f0e22e7c16a4717cebc3fc364342b096c6267af30615173b6b46

Download Submit