Overview
overview
10Static
static
10cc552bed96...e1.exe
windows7-x64
10cc552bed96...e1.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3PaintDotNet.Base.dll
windows7-x64
1PaintDotNet.Base.dll
windows10-2004-x64
1PaintDotNet.Core.dll
windows7-x64
1PaintDotNet.Core.dll
windows10-2004-x64
1PaintDotNet.Data.dll
windows7-x64
1PaintDotNet.Data.dll
windows10-2004-x64
1PaintDotNe...rk.dll
windows7-x64
1PaintDotNe...rk.dll
windows10-2004-x64
1PaintDotNe...es.dll
windows7-x64
1PaintDotNe...es.dll
windows10-2004-x64
1PaintDotNe...er.dll
windows7-x64
1PaintDotNe...er.dll
windows10-2004-x64
1PaintDotNet.exe
windows7-x64
1PaintDotNet.exe
windows10-2004-x64
1PaintDotNet_x64.msi
windows7-x64
6PaintDotNet_x64.msi
windows10-2004-x64
6PaintDotNet_x86.msi
windows7-x64
6PaintDotNet_x86.msi
windows10-2004-x64
6SetupFrontEnd.exe
windows7-x64
1SetupFrontEnd.exe
windows10-2004-x64
1SetupShim.exe
windows7-x64
1SetupShim.exe
windows10-2004-x64
1System.Buffers.dll
windows7-x64
1System.Buffers.dll
windows10-2004-x64
1System.Col...le.dll
windows7-x64
1System.Col...le.dll
windows10-2004-x64
1System.Memory.dll
windows7-x64
1System.Memory.dll
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 20:16
Behavioral task
behavioral1
Sample
cc552bed9629fe4d9f2d6d60120bc8e1.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
cc552bed9629fe4d9f2d6d60120bc8e1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PaintDotNet.Base.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
PaintDotNet.Base.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PaintDotNet.Core.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
PaintDotNet.Core.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
PaintDotNet.Data.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
PaintDotNet.Data.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
PaintDotNet.Framework.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
PaintDotNet.Framework.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
PaintDotNet.Resources.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
PaintDotNet.Resources.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PaintDotNet.SystemLayer.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral16
Sample
PaintDotNet.SystemLayer.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PaintDotNet.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
PaintDotNet.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PaintDotNet_x64.msi
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
PaintDotNet_x64.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PaintDotNet_x86.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
PaintDotNet_x86.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
SetupFrontEnd.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
SetupFrontEnd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
SetupShim.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
SetupShim.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
System.Buffers.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
System.Buffers.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
System.Collections.Immutable.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
System.Collections.Immutable.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
System.Memory.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
System.Memory.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
PaintDotNet_x64.msi
-
Size
56.2MB
-
MD5
b8ddb9faed245ef388db48364cab8fe7
-
SHA1
515a8742c7d9163e717d4588a2654896923012fb
-
SHA256
aa0b8df129122d767a7f711a0bd7a5fc838d2acad09f6890dcd209cf875973be
-
SHA512
8324fcc465be44f47fa4bffece7195b31af45c19df30c57c4e0387841ef351ceb3dba06e6aa0ba66872cbd5bc06431512f7ffdad5b366e47b5261b95df96a621
-
SSDEEP
393216:d7wMnozGuRlM7PZiKXOqCdALhOhuo6km1YvjcMpE9BiS+mFESSbQSnHtDTLu5ZWE:d79MnIiKH8nu63pbH4OO
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 23 4936 msiexec.exe 27 4936 msiexec.exe 29 4936 msiexec.exe 33 4936 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA4CC.tmp msiexec.exe File created C:\Windows\Installer\e57a1be.msi msiexec.exe File opened for modification C:\Windows\Installer\e57a1be.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA2C8.tmp msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 MsiExec.exe 2064 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 4936 msiexec.exe Token: SeIncreaseQuotaPrivilege 4936 msiexec.exe Token: SeSecurityPrivilege 2508 msiexec.exe Token: SeCreateTokenPrivilege 4936 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4936 msiexec.exe Token: SeLockMemoryPrivilege 4936 msiexec.exe Token: SeIncreaseQuotaPrivilege 4936 msiexec.exe Token: SeMachineAccountPrivilege 4936 msiexec.exe Token: SeTcbPrivilege 4936 msiexec.exe Token: SeSecurityPrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeLoadDriverPrivilege 4936 msiexec.exe Token: SeSystemProfilePrivilege 4936 msiexec.exe Token: SeSystemtimePrivilege 4936 msiexec.exe Token: SeProfSingleProcessPrivilege 4936 msiexec.exe Token: SeIncBasePriorityPrivilege 4936 msiexec.exe Token: SeCreatePagefilePrivilege 4936 msiexec.exe Token: SeCreatePermanentPrivilege 4936 msiexec.exe Token: SeBackupPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeShutdownPrivilege 4936 msiexec.exe Token: SeDebugPrivilege 4936 msiexec.exe Token: SeAuditPrivilege 4936 msiexec.exe Token: SeSystemEnvironmentPrivilege 4936 msiexec.exe Token: SeChangeNotifyPrivilege 4936 msiexec.exe Token: SeRemoteShutdownPrivilege 4936 msiexec.exe Token: SeUndockPrivilege 4936 msiexec.exe Token: SeSyncAgentPrivilege 4936 msiexec.exe Token: SeEnableDelegationPrivilege 4936 msiexec.exe Token: SeManageVolumePrivilege 4936 msiexec.exe Token: SeImpersonatePrivilege 4936 msiexec.exe Token: SeCreateGlobalPrivilege 4936 msiexec.exe Token: SeBackupPrivilege 2816 vssvc.exe Token: SeRestorePrivilege 2816 vssvc.exe Token: SeAuditPrivilege 2816 vssvc.exe Token: SeBackupPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeBackupPrivilege 3052 srtasks.exe Token: SeRestorePrivilege 3052 srtasks.exe Token: SeSecurityPrivilege 3052 srtasks.exe Token: SeTakeOwnershipPrivilege 3052 srtasks.exe Token: SeBackupPrivilege 3052 srtasks.exe Token: SeRestorePrivilege 3052 srtasks.exe Token: SeSecurityPrivilege 3052 srtasks.exe Token: SeTakeOwnershipPrivilege 3052 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4936 msiexec.exe 4936 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3052 2508 msiexec.exe 101 PID 2508 wrote to memory of 3052 2508 msiexec.exe 101 PID 2508 wrote to memory of 2064 2508 msiexec.exe 103 PID 2508 wrote to memory of 2064 2508 msiexec.exe 103 PID 2508 wrote to memory of 2064 2508 msiexec.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4936
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2BE9D3DC9C9665D6C08D40C1AD954C442⤵
- Loads dropped DLL
PID:2064
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize2KB
MD57f304f88a9ec859c3ec129d4d1e5f12c
SHA13bc010dc12415bb2668f775b9c7cfb780a244e07
SHA25620019ca117478f5a78d4d28d39c454fc9f5d577780edba0499e752cd0fcd041d
SHA51295ba947677eb171fa8af549f4452f5467153e4c727af43d2e73685b88f0b9038a3e3ee3a960501a39b39e88bc9a6fe1ae8e0d29acb4a118576eb606568e39bfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5169257ee1dae792fa516b7ee24fdbf6d
SHA1749debd32071e052889110b6e2672ed0f7a0239f
SHA2565c2d0b615f51c090e6afa909d6612573b902d06582db619452d6443463e9ab45
SHA512ee0e15925c925452250c6d3a3a06c330257411d12708c98ed7ecee74792e977bb103f3572e1e585648fdd57865ef0718e601d63a70d8605fafecf1f4d4c2a16b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
Filesize510B
MD575bfab5db99d3a568718a5579d2ff770
SHA157e820ba6726f9b2b6c7967e6d4ca9e10e29995e
SHA256028d247d354834f0802009e505ff0dc6a0b5d768ab0a9cea73508c0a0854bf7a
SHA51245c4fa4d31f697a67fc8695ca802a3ac6880240e4c70a08fc1c01bae8c80dfd6037cc2e7546d2eeb3e44233de2b598a213b62ada64bfa157f78dfb65ec3aa04e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize488B
MD579cb442e0db59474868530fe590fc756
SHA172f439e8f83efd76a612abc9452d6f75046a9939
SHA256b788e384936bf211a0cf0f4f5e676473b8b5763b3597d1178a7e60e4a461b23b
SHA512b4d47f466d876614a21d0c6a896955ecb983fbfb0e082a499d4b56869c58e809c2547b0c9b4b9c9f76802aab62d808a10f0a2159e402e4bb7e8f9dec7cc3fe47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5709c9e3f9ed517a86ca7073b84fe7684
SHA1096b9bd2810001ede22303b5b83b93e6947dc6d8
SHA2569ab12c2063aa860b0b280fe618e430fe2a184958ffb34f907081edcea4c3e4d4
SHA51289f706399d069e7ef8a23a6ce5dc88149e778de6628e797351f74444fae5ae9eb8e6667aa869340fd6ab8f338972465befb1e376a228961357016d64c0ef4960
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
Filesize484B
MD5671561bae44b1cba295de683910056a7
SHA10ca84de24cd38d75aee3725a3694af25f9db23a3
SHA25615a874ff2d480953f6eaa9250822182c79ab9835491be61678d13d6a29d4204a
SHA512987b022c07c46c2b10773a1b86ad8d618829d0495facc04db9b8aee89749274de85600f8cd1532b8dbc82d97ac3e6ff10ca6e6149fc4580db6561a1e44497cbb
-
Filesize
298KB
MD5373e46a1e858b6a10432d589de09732f
SHA126e71b5373999a23eb6e2a282de3683dd9d698b5
SHA2560357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041
SHA5129b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8
-
Filesize
23.7MB
MD523a5838fd46ca9f6ed0e6567d8cb3521
SHA10a0202fa92984e170c623ab8eaaee63bd79a9b0f
SHA256ab96d879ee26220deb62486216788ca64f15820e154eefb900ee9411575a8241
SHA5122e4a6714dd9f6352d419fd36637f5a27e2dd65dec58473fa3cdfa566cd300faf9b3a953f48ce34d988614b438d38375565fc8af1474a7d28a59d7ca25639d6e0
-
\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cd8ad20f-fa7e-4568-997d-b0d23b80f3af}_OnDiskSnapshotProp
Filesize6KB
MD59f4b1f89fd14bed5542c9fbda67a7235
SHA15facfe59c5509f931ea292a0f5de274902ece63e
SHA256d79a3063263df84df25b67a1641dc306f37bab61d3430850e009ba762a1e83d6
SHA5121ecf23be4e7f8e974120cc481dd321f15f0d6f5cff8ced8d11ffeb318c4daca579422cade7a9f5c7b206ca7ded383bda54813b786fb6f4f31660afd01c0210e3