6ee78b18ddb57ebb710f371d9c01b743fc7fb080527360a56d9981c56cdffffb

Analysis

max time kernel
80s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]/paperscanpro4.exe
Size

124.9MB
MD5

d964449be90f3d1eabcd4bd4e0f1687b
SHA1

1f58c435655108220a656066933ce05de5a18f64
SHA256

93ec1818f17060773929f735d16343edeb9fab83b35d01f6ae4473c979d33443
SHA512

7a223efd9be3ac244065e387078bfc90704c2bf5665b14a8d9b1a90755f3f56759df88b36e1f9ca85b849728a9eddf48e9e15adf8a2044131a269de25b49dde4
SSDEEP

3145728:kagyVIufss4uvENj3aT32FpHCBRgoDCkD0iUWoMM:QyVI1FCEhqL2Fpirg8j9VoMM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

paperscanpro4.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	paperscanpro4.exe
File opened (read-only)	\??\S:	paperscanpro4.exe
File opened (read-only)	\??\W:	paperscanpro4.exe
File opened (read-only)	\??\B:	paperscanpro4.exe
File opened (read-only)	\??\E:	paperscanpro4.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	paperscanpro4.exe
File opened (read-only)	\??\Q:	paperscanpro4.exe
File opened (read-only)	\??\U:	paperscanpro4.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	paperscanpro4.exe
File opened (read-only)	\??\Y:	paperscanpro4.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	paperscanpro4.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	paperscanpro4.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	paperscanpro4.exe
File opened (read-only)	\??\R:	paperscanpro4.exe
File opened (read-only)	\??\T:	paperscanpro4.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	paperscanpro4.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	paperscanpro4.exe
File opened (read-only)	\??\Z:	paperscanpro4.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	paperscanpro4.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	paperscanpro4.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	paperscanpro4.exe

Loads dropped DLL 14 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
3436	MsiExec.exe
3436	MsiExec.exe
3436	MsiExec.exe
3436	MsiExec.exe
3436	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe
660	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exepaperscanpro4.exe

description	pid	process
Token: SeSecurityPrivilege	4856	msiexec.exe
Token: SeCreateTokenPrivilege	1128	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	1128	paperscanpro4.exe
Token: SeLockMemoryPrivilege	1128	paperscanpro4.exe
Token: SeIncreaseQuotaPrivilege	1128	paperscanpro4.exe
Token: SeMachineAccountPrivilege	1128	paperscanpro4.exe
Token: SeTcbPrivilege	1128	paperscanpro4.exe
Token: SeSecurityPrivilege	1128	paperscanpro4.exe
Token: SeTakeOwnershipPrivilege	1128	paperscanpro4.exe
Token: SeLoadDriverPrivilege	1128	paperscanpro4.exe
Token: SeSystemProfilePrivilege	1128	paperscanpro4.exe
Token: SeSystemtimePrivilege	1128	paperscanpro4.exe
Token: SeProfSingleProcessPrivilege	1128	paperscanpro4.exe
Token: SeIncBasePriorityPrivilege	1128	paperscanpro4.exe
Token: SeCreatePagefilePrivilege	1128	paperscanpro4.exe
Token: SeCreatePermanentPrivilege	1128	paperscanpro4.exe
Token: SeBackupPrivilege	1128	paperscanpro4.exe
Token: SeRestorePrivilege	1128	paperscanpro4.exe
Token: SeShutdownPrivilege	1128	paperscanpro4.exe
Token: SeDebugPrivilege	1128	paperscanpro4.exe
Token: SeAuditPrivilege	1128	paperscanpro4.exe
Token: SeSystemEnvironmentPrivilege	1128	paperscanpro4.exe
Token: SeChangeNotifyPrivilege	1128	paperscanpro4.exe
Token: SeRemoteShutdownPrivilege	1128	paperscanpro4.exe
Token: SeUndockPrivilege	1128	paperscanpro4.exe
Token: SeSyncAgentPrivilege	1128	paperscanpro4.exe
Token: SeEnableDelegationPrivilege	1128	paperscanpro4.exe
Token: SeManageVolumePrivilege	1128	paperscanpro4.exe
Token: SeImpersonatePrivilege	1128	paperscanpro4.exe
Token: SeCreateGlobalPrivilege	1128	paperscanpro4.exe
Token: SeCreateTokenPrivilege	1128	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	1128	paperscanpro4.exe
Token: SeLockMemoryPrivilege	1128	paperscanpro4.exe
Token: SeIncreaseQuotaPrivilege	1128	paperscanpro4.exe
Token: SeMachineAccountPrivilege	1128	paperscanpro4.exe
Token: SeTcbPrivilege	1128	paperscanpro4.exe
Token: SeSecurityPrivilege	1128	paperscanpro4.exe
Token: SeTakeOwnershipPrivilege	1128	paperscanpro4.exe
Token: SeLoadDriverPrivilege	1128	paperscanpro4.exe
Token: SeSystemProfilePrivilege	1128	paperscanpro4.exe
Token: SeSystemtimePrivilege	1128	paperscanpro4.exe
Token: SeProfSingleProcessPrivilege	1128	paperscanpro4.exe
Token: SeIncBasePriorityPrivilege	1128	paperscanpro4.exe
Token: SeCreatePagefilePrivilege	1128	paperscanpro4.exe
Token: SeCreatePermanentPrivilege	1128	paperscanpro4.exe
Token: SeBackupPrivilege	1128	paperscanpro4.exe
Token: SeRestorePrivilege	1128	paperscanpro4.exe
Token: SeShutdownPrivilege	1128	paperscanpro4.exe
Token: SeDebugPrivilege	1128	paperscanpro4.exe
Token: SeAuditPrivilege	1128	paperscanpro4.exe
Token: SeSystemEnvironmentPrivilege	1128	paperscanpro4.exe
Token: SeChangeNotifyPrivilege	1128	paperscanpro4.exe
Token: SeRemoteShutdownPrivilege	1128	paperscanpro4.exe
Token: SeUndockPrivilege	1128	paperscanpro4.exe
Token: SeSyncAgentPrivilege	1128	paperscanpro4.exe
Token: SeEnableDelegationPrivilege	1128	paperscanpro4.exe
Token: SeManageVolumePrivilege	1128	paperscanpro4.exe
Token: SeImpersonatePrivilege	1128	paperscanpro4.exe
Token: SeCreateGlobalPrivilege	1128	paperscanpro4.exe
Token: SeCreateTokenPrivilege	1128	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	1128	paperscanpro4.exe
Token: SeLockMemoryPrivilege	1128	paperscanpro4.exe
Token: SeIncreaseQuotaPrivilege	1128	paperscanpro4.exe
Token: SeMachineAccountPrivilege	1128	paperscanpro4.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

paperscanpro4.exemsiexec.exe

pid process

1128 paperscanpro4.exe
1040 msiexec.exe

pid	process
1128	paperscanpro4.exe
1040	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exepaperscanpro4.exe

description	pid	process	target process
PID 4856 wrote to memory of 3436	4856	msiexec.exe	MsiExec.exe
PID 4856 wrote to memory of 3436	4856	msiexec.exe	MsiExec.exe
PID 4856 wrote to memory of 3436	4856	msiexec.exe	MsiExec.exe
PID 1128 wrote to memory of 1040	1128	paperscanpro4.exe	msiexec.exe
PID 1128 wrote to memory of 1040	1128	paperscanpro4.exe	msiexec.exe
PID 1128 wrote to memory of 1040	1128	paperscanpro4.exe	msiexec.exe
PID 4856 wrote to memory of 660	4856	msiexec.exe	MsiExec.exe
PID 4856 wrote to memory of 660	4856	msiexec.exe	MsiExec.exe
PID 4856 wrote to memory of 660	4856	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe
"C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\ORPALIS\PaperScan 4 Professional Edition 4.0.9\install\4FF14CA\PaperScanPro-4.0.9.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1713491114 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C2BAA9F37F915119C6F5629941F97203 C
  2⤵
  - Loads dropped DLL
  PID:3436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8AD01FA56E330A11BA68C1F3C56A0D36 C
  2⤵
  - Loads dropped DLL
  PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
eeece5e919a33d267b92b22e8c2e08e3

SHA1
5ab76b001333e3999c3d1c7dd928c9940bfed114

SHA256
1e3ca69a2e6ee930e91c55183acc8001f0390f56870660482a67b6d928c827af

SHA512
4052591db3f8243da47915192caf029ab08534bb9bdd0ba90de344fd81db284c8d5c3e8e2100320b52bf5fb4c8cfa0b14be3cef1fcdfb693ef8865b7bd77fc9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A360CD1C7D600F0FA52FD1B49B3E1637

Filesize
727B

MD5
eee4c7065430328a936943b8a4cc64c1

SHA1
8d965baa8203acf507dc01147ccf011ad65fadf3

SHA256
d6c086aaba2ac573829148dbceff5a0c290b74ea7722c07dff03d412b62853da

SHA512
6569255a29a42256ef099b2ee98cb1481803ea9d1669daf0cf4e00569b5cc8fe70c4eadb183dc43bfa1304d562a97e8286d97ee2f9d4c67d65dba4cbe2a9ae0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
cc6848d9ac77e31dfeadf8c1ab347bd7

SHA1
6bbab79a405666cb63f2e321330e10f4fabca6b4

SHA256
1bfe4a31c943532b6f000d26e721022f250f5555ef2f0bf12605c35ec606a338

SHA512
74214efdbe65e264e9b63506b4d74fd520d7322f03153a6f50dbf4236b36848fdd5b1b42431c600e8c75e4119c912b10a9a0d213043aa7102177ac95134d5966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
68fec2dcb8451ef8fa597c1839d019f1

SHA1
eb11fc84a70db7b8445489d016179f8e1fa5968a

SHA256
3ec19aa78266e57135aabbbd57bcd5d90337f69a4da4ce835c276411e52bfb54

SHA512
54fddf8cfee855e1ca85a4967b9019b8e7de5e4b5e0dc8df2c2abb5524887ec00ca5086040333eeb285f623934e5e66c99434025a37479e8a3d747a62f1601c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A360CD1C7D600F0FA52FD1B49B3E1637

Filesize
408B

MD5
36c53edfac4185c486a0977d59c3839d

SHA1
af427a9fcb607696bd968317f7536ce16f32a8a6

SHA256
fcfad66878c65713e0feb1f855f59bdc29d908e6fa6e71af47e623e4310ab665

SHA512
4c71d3bf9f7f831665ba6c4da66233a27ebe449f94e575662146342cea6b40b4a64b6826b92b1df593718779277855a196bc3792f8e0e2cdd49b95e6c58f3268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
9e7019fe65ff4893af80f4eabbd246b5

SHA1
8a5d41b6bf09fe904b55dfd1b031b3a99fa24100

SHA256
f9c90e4bc6417daa79251bb22dab196f4a6cc0c647e05549ab4dd6bc1e8b034a

SHA512
f04bbeac712b6ad14099799b0e4cd448801add6e7f570bcad63ffc0038ab5192fb0af8dd658b2a1a438d9a8ccc028ed89cb65c60d76a06ffdea9f57aa86d4037

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1128\welcome.jpg

Filesize
14KB

MD5
a19eb2269d8449012cf8cf3693e9698a

SHA1
7be34d8186407ede94e068874417ddaf3bf3012e

SHA256
478f1e9f4cbcbc6062e3a609362a60e8c78e38507e60ba5a6b9db7d219e66a14

SHA512
86d71a7087d8597b06d822dab99d9cad5208fff612fa20c95db2ee712be61003d40a494dfe6c3836627592a9963d5729bc5ce4d7b4bbeb24fa6b613bf0d6631e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7D7E.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7EA9.tmp

Filesize
1.1MB

MD5
afc6287898cc2f4e11e7ecca5ba67979

SHA1
00417961dd06817ad989aff7d6832f854a4e81b8

SHA256
65449b7ef921a26b22c2f5ba6bb8d22ced0a337313587c805bb165808346c402

SHA512
11bf538fd8c9330d6554e06e65b094aac27c657a0450ee6dd0891fb35644505d65e968395902b1d115f64d8c9a30f3d81e3db301705d82c084f7b028b8bd616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7FA4.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
C:\Users\Admin\AppData\Roaming\ORPALIS\PaperScan 4 Professional Edition 4.0.9\install\4FF14CA\PaperScanPro-4.0.9.msi

Filesize
3.7MB

MD5
91feee7a5212ab8244ab5915a443d92d

SHA1
243c5f38314a4fb8c8412868bb131853929d95bf

SHA256
a59241ac480779e9e3d09cb5952ee2bf26daf9277714751442f257c0d1ca1a80

SHA512
e4367b4e922c443c652767b45ad4bf82fefded07b78c2a891f382b2d3ad3a49aa834e8a35816e87d52cf3dc805e403aa346810d71acd2820f17b3c65baf4fe49

Download Submit