Overview

overview

10

Static

static

10

cc552bed96...e1.exe

windows7-x64

10

cc552bed96...e1.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

PaintDotNet.Base.dll

windows7-x64

1

PaintDotNet.Base.dll

windows10-2004-x64

1

PaintDotNet.Core.dll

windows7-x64

1

PaintDotNet.Core.dll

windows10-2004-x64

1

PaintDotNet.Data.dll

windows7-x64

1

PaintDotNet.Data.dll

windows10-2004-x64

1

PaintDotNe...rk.dll

windows7-x64

1

PaintDotNe...rk.dll

windows10-2004-x64

1

PaintDotNe...es.dll

windows7-x64

1

PaintDotNe...es.dll

windows10-2004-x64

1

PaintDotNe...er.dll

windows7-x64

1

PaintDotNe...er.dll

windows10-2004-x64

1

PaintDotNet.exe

windows7-x64

1

PaintDotNet.exe

windows10-2004-x64

1

PaintDotNet_x64.msi

windows7-x64

6

PaintDotNet_x64.msi

windows10-2004-x64

6

PaintDotNet_x86.msi

windows7-x64

6

PaintDotNet_x86.msi

windows10-2004-x64

6

SetupFrontEnd.exe

windows7-x64

1

SetupFrontEnd.exe

windows10-2004-x64

1

SetupShim.exe

windows7-x64

1

SetupShim.exe

windows10-2004-x64

1

System.Buffers.dll

windows7-x64

1

System.Buffers.dll

windows10-2004-x64

1

System.Col...le.dll

windows7-x64

1

System.Col...le.dll

windows10-2004-x64

1

System.Memory.dll

windows7-x64

1

System.Memory.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PaintDotNet_x64.msi

  • Size

    56.2MB

  • MD5

    b8ddb9faed245ef388db48364cab8fe7

  • SHA1

    515a8742c7d9163e717d4588a2654896923012fb

  • SHA256

    aa0b8df129122d767a7f711a0bd7a5fc838d2acad09f6890dcd209cf875973be

  • SHA512

    8324fcc465be44f47fa4bffece7195b31af45c19df30c57c4e0387841ef351ceb3dba06e6aa0ba66872cbd5bc06431512f7ffdad5b366e47b5261b95df96a621

  • SSDEEP

    393216:d7wMnozGuRlM7PZiKXOqCdALhOhuo6km1YvjcMpE9BiS+mFESSbQSnHtDTLu5ZWE:d79MnIiKH8nu63pbH4OO

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1880
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C15203D9BA38D081398EBB2EB6C75E74
      2⤵
      • Loads dropped DLL
      PID:2664
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2796
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000578" "00000000000005B0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
    Filesize

    2KB

    MD5

    7f304f88a9ec859c3ec129d4d1e5f12c

    SHA1

    3bc010dc12415bb2668f775b9c7cfb780a244e07

    SHA256

    20019ca117478f5a78d4d28d39c454fc9f5d577780edba0499e752cd0fcd041d

    SHA512

    95ba947677eb171fa8af549f4452f5467153e4c727af43d2e73685b88f0b9038a3e3ee3a960501a39b39e88bc9a6fe1ae8e0d29acb4a118576eb606568e39bfa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    169257ee1dae792fa516b7ee24fdbf6d

    SHA1

    749debd32071e052889110b6e2672ed0f7a0239f

    SHA256

    5c2d0b615f51c090e6afa909d6612573b902d06582db619452d6443463e9ab45

    SHA512

    ee0e15925c925452250c6d3a3a06c330257411d12708c98ed7ecee74792e977bb103f3572e1e585648fdd57865ef0718e601d63a70d8605fafecf1f4d4c2a16b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
    Filesize

    510B

    MD5

    75bfab5db99d3a568718a5579d2ff770

    SHA1

    57e820ba6726f9b2b6c7967e6d4ca9e10e29995e

    SHA256

    028d247d354834f0802009e505ff0dc6a0b5d768ab0a9cea73508c0a0854bf7a

    SHA512

    45c4fa4d31f697a67fc8695ca802a3ac6880240e4c70a08fc1c01bae8c80dfd6037cc2e7546d2eeb3e44233de2b598a213b62ada64bfa157f78dfb65ec3aa04e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
    Filesize

    488B

    MD5

    ae4eb7a37652a3a003013c84a3257e33

    SHA1

    d3901e8cf9001e13c1a303e02ad6f56c58c51fee

    SHA256

    3e211e761b799f34d98f4845a30b46018597545bbcbcc86ccc829d75f3b4c748

    SHA512

    49586926716fa4d4a8c3d0ba94fc0b24ffcb51b1dc5ea90ff45086297320bc4e82e276676ece2277b3c7eface6d2b730fa723496c3297b44ae7ce026dfe684c6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    edcd5c7c1e073dc70baf07d2f5fa696f

    SHA1

    45f2e773ec9f47b24af7c9f2973527c59677a04b

    SHA256

    0c6583e9cdf6a8c8f461d65ac6ab8a34e8464d74ab0ce8cfe96c3bb1e22358dc

    SHA512

    dd0206bd2b4e5966dc04f1ba50e110f8a21dc3d3c5f936a1158fc369af86d6634245bc66512208e80530ab5c202e467395496bec11f40ae944f449b0e5d54330

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    ab39a0bdab098c92da2f88f4fbca6bf7

    SHA1

    bf31ddbc569ccfac8f2ebd20145a591483e698c9

    SHA256

    7531e36197b33c9f79a1f4e5f493a9446d0b5624bb6aaceb2e0e763b52f29d75

    SHA512

    4181b35ef2510bca269287c524b0004bd25133984c08ec1dd6bd7b6030f54fbd560f285b38ebe19deaf41d748da44b40d00540145449343d7ab2176cec79958a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
    Filesize

    484B

    MD5

    97e39a0e6191198a42f40a094b0ebbe1

    SHA1

    9496c1557bc68665bf9f23aaf204ba9e7b5f4704

    SHA256

    e2ada3da0133b26875b54e26ff3bd5962b2b54be6da831b677b0b6fbab817d0a

    SHA512

    d84de9f03aef20c855eeb85272e0a94d3a1a14e7f475f0730f7dd228a37b097d7c7c46451b6e91ce9b4e4ea4dc9fe48270562906f515920f56fcd22ca1a2e688

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    c5afd381f1ef9d13b53c27d7b3a36b3c

    SHA1

    fe9400c8a6b77342b04d9637cbb8c2e4eb0ce3e9

    SHA256

    65c5f0996db246e77e3c5fb13677285388b99145821a7912c50daedcffe75f19

    SHA512

    96ab54fd7cf993a16173e9c72d7cfb2c08b6ac6f2bce7eadc126f5a1ff4f9e2b85adbc5db0fa5151e6a95456bfc7b58707682a5ec656969de927a0b18b6ea88f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar2541.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit
  • C:\Windows\Installer\MSI454C.tmp
    Filesize

    298KB

    MD5

    373e46a1e858b6a10432d589de09732f

    SHA1

    26e71b5373999a23eb6e2a282de3683dd9d698b5

    SHA256

    0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

    SHA512

    9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

    Download Submit