c4cdaa6cfc97a3ba8c70fe676cbcf5fa2280a616aad83b51f587d57f1764e7e0

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaintDotNet_x64.msi
Size

56.2MB
MD5

b8ddb9faed245ef388db48364cab8fe7
SHA1

515a8742c7d9163e717d4588a2654896923012fb
SHA256

aa0b8df129122d767a7f711a0bd7a5fc838d2acad09f6890dcd209cf875973be
SHA512

8324fcc465be44f47fa4bffece7195b31af45c19df30c57c4e0387841ef351ceb3dba06e6aa0ba66872cbd5bc06431512f7ffdad5b366e47b5261b95df96a621
SSDEEP

393216:d7wMnozGuRlM7PZiKXOqCdALhOhuo6km1YvjcMpE9BiS+mFESSbQSnHtDTLu5ZWE:d79MnIiKH8nu63pbH4OO

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

23 4936 msiexec.exe
27 4936 msiexec.exe
29 4936 msiexec.exe
33 4936 msiexec.exe

flow	pid	process
23	4936	msiexec.exe
27	4936	msiexec.exe
29	4936	msiexec.exe
33	4936	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIA4CC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a1be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a1be.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2C8.tmp	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

2064 MsiExec.exe
2064 MsiExec.exe

pid	process
2064	MsiExec.exe
2064	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4936	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	4936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4936	msiexec.exe
Token: SeLockMemoryPrivilege	4936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4936	msiexec.exe
Token: SeMachineAccountPrivilege	4936	msiexec.exe
Token: SeTcbPrivilege	4936	msiexec.exe
Token: SeSecurityPrivilege	4936	msiexec.exe
Token: SeTakeOwnershipPrivilege	4936	msiexec.exe
Token: SeLoadDriverPrivilege	4936	msiexec.exe
Token: SeSystemProfilePrivilege	4936	msiexec.exe
Token: SeSystemtimePrivilege	4936	msiexec.exe
Token: SeProfSingleProcessPrivilege	4936	msiexec.exe
Token: SeIncBasePriorityPrivilege	4936	msiexec.exe
Token: SeCreatePagefilePrivilege	4936	msiexec.exe
Token: SeCreatePermanentPrivilege	4936	msiexec.exe
Token: SeBackupPrivilege	4936	msiexec.exe
Token: SeRestorePrivilege	4936	msiexec.exe
Token: SeShutdownPrivilege	4936	msiexec.exe
Token: SeDebugPrivilege	4936	msiexec.exe
Token: SeAuditPrivilege	4936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4936	msiexec.exe
Token: SeChangeNotifyPrivilege	4936	msiexec.exe
Token: SeRemoteShutdownPrivilege	4936	msiexec.exe
Token: SeUndockPrivilege	4936	msiexec.exe
Token: SeSyncAgentPrivilege	4936	msiexec.exe
Token: SeEnableDelegationPrivilege	4936	msiexec.exe
Token: SeManageVolumePrivilege	4936	msiexec.exe
Token: SeImpersonatePrivilege	4936	msiexec.exe
Token: SeCreateGlobalPrivilege	4936	msiexec.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeBackupPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeBackupPrivilege	3052	srtasks.exe
Token: SeRestorePrivilege	3052	srtasks.exe
Token: SeSecurityPrivilege	3052	srtasks.exe
Token: SeTakeOwnershipPrivilege	3052	srtasks.exe
Token: SeBackupPrivilege	3052	srtasks.exe
Token: SeRestorePrivilege	3052	srtasks.exe
Token: SeSecurityPrivilege	3052	srtasks.exe
Token: SeTakeOwnershipPrivilege	3052	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4936 msiexec.exe
4936 msiexec.exe

pid	process
4936	msiexec.exe
4936	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2508 wrote to memory of 3052	2508	msiexec.exe	srtasks.exe
PID 2508 wrote to memory of 3052	2508	msiexec.exe	srtasks.exe
PID 2508 wrote to memory of 2064	2508	msiexec.exe	MsiExec.exe
PID 2508 wrote to memory of 2064	2508	msiexec.exe	MsiExec.exe
PID 2508 wrote to memory of 2064	2508	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2BE9D3DC9C9665D6C08D40C1AD954C44
2⤵
- Loads dropped DLL
PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
2KB

MD5
7f304f88a9ec859c3ec129d4d1e5f12c

SHA1
3bc010dc12415bb2668f775b9c7cfb780a244e07

SHA256
20019ca117478f5a78d4d28d39c454fc9f5d577780edba0499e752cd0fcd041d

SHA512
95ba947677eb171fa8af549f4452f5467153e4c727af43d2e73685b88f0b9038a3e3ee3a960501a39b39e88bc9a6fe1ae8e0d29acb4a118576eb606568e39bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
169257ee1dae792fa516b7ee24fdbf6d

SHA1
749debd32071e052889110b6e2672ed0f7a0239f

SHA256
5c2d0b615f51c090e6afa909d6612573b902d06582db619452d6443463e9ab45

SHA512
ee0e15925c925452250c6d3a3a06c330257411d12708c98ed7ecee74792e977bb103f3572e1e585648fdd57865ef0718e601d63a70d8605fafecf1f4d4c2a16b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
Filesize
510B

MD5
75bfab5db99d3a568718a5579d2ff770

SHA1
57e820ba6726f9b2b6c7967e6d4ca9e10e29995e

SHA256
028d247d354834f0802009e505ff0dc6a0b5d768ab0a9cea73508c0a0854bf7a

SHA512
45c4fa4d31f697a67fc8695ca802a3ac6880240e4c70a08fc1c01bae8c80dfd6037cc2e7546d2eeb3e44233de2b598a213b62ada64bfa157f78dfb65ec3aa04e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
488B

MD5
79cb442e0db59474868530fe590fc756

SHA1
72f439e8f83efd76a612abc9452d6f75046a9939

SHA256
b788e384936bf211a0cf0f4f5e676473b8b5763b3597d1178a7e60e4a461b23b

SHA512
b4d47f466d876614a21d0c6a896955ecb983fbfb0e082a499d4b56869c58e809c2547b0c9b4b9c9f76802aab62d808a10f0a2159e402e4bb7e8f9dec7cc3fe47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
709c9e3f9ed517a86ca7073b84fe7684

SHA1
096b9bd2810001ede22303b5b83b93e6947dc6d8

SHA256
9ab12c2063aa860b0b280fe618e430fe2a184958ffb34f907081edcea4c3e4d4

SHA512
89f706399d069e7ef8a23a6ce5dc88149e778de6628e797351f74444fae5ae9eb8e6667aa869340fd6ab8f338972465befb1e376a228961357016d64c0ef4960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_0074F282EF1707B4127B4440C07CA094
Filesize
484B

MD5
671561bae44b1cba295de683910056a7

SHA1
0ca84de24cd38d75aee3725a3694af25f9db23a3

SHA256
15a874ff2d480953f6eaa9250822182c79ab9835491be61678d13d6a29d4204a

SHA512
987b022c07c46c2b10773a1b86ad8d618829d0495facc04db9b8aee89749274de85600f8cd1532b8dbc82d97ac3e6ff10ca6e6149fc4580db6561a1e44497cbb

Download Submit
C:\Windows\Installer\MSIA2C8.tmp
Filesize
298KB

MD5
373e46a1e858b6a10432d589de09732f

SHA1
26e71b5373999a23eb6e2a282de3683dd9d698b5

SHA256
0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

SHA512
9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
23a5838fd46ca9f6ed0e6567d8cb3521

SHA1
0a0202fa92984e170c623ab8eaaee63bd79a9b0f

SHA256
ab96d879ee26220deb62486216788ca64f15820e154eefb900ee9411575a8241

SHA512
2e4a6714dd9f6352d419fd36637f5a27e2dd65dec58473fa3cdfa566cd300faf9b3a953f48ce34d988614b438d38375565fc8af1474a7d28a59d7ca25639d6e0

Download Submit
\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cd8ad20f-fa7e-4568-997d-b0d23b80f3af}_OnDiskSnapshotProp
Filesize
6KB

MD5
9f4b1f89fd14bed5542c9fbda67a7235

SHA1
5facfe59c5509f931ea292a0f5de274902ece63e

SHA256
d79a3063263df84df25b67a1641dc306f37bab61d3430850e009ba762a1e83d6

SHA512
1ecf23be4e7f8e974120cc481dd321f15f0d6f5cff8ced8d11ffeb318c4daca579422cade7a9f5c7b206ca7ded383bda54813b786fb6f4f31660afd01c0210e3

Download Submit