Analysis Overview
SHA256
2eee0c75e0fd7644febee9236fe89ae382de3b96e8c86b59fbf111752b62993b
Threat Level: Shows suspicious behavior
The file Easy Paint Tool SAI 1.2.0 (1).zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Program crash
One or more HTTP URLs in qr code identified
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:59
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:03
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"
Network
Files
memory/2732-22-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:03
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe
"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:01
Platform
win10v2004-20240508-en
Max time kernel
11s
Max time network
13s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe
"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:03
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2824 wrote to memory of 392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2824 wrote to memory of 392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:01
Platform
win7-20240221-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"
Network
Files
memory/1948-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
memory/1948-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1948-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1948-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1948-6-0x0000000002340000-0x0000000002348000-memory.dmp
memory/1948-5-0x000000001B760000-0x000000001BA42000-memory.dmp
memory/1948-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/1948-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:03
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:01
Platform
win10v2004-20240611-en
Max time kernel
13s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4dc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
Files
memory/1128-0-0x00007FF886A63000-0x00007FF886A65000-memory.dmp
memory/1128-1-0x00000235908F0000-0x0000023590912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14omkvji.a3p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1128-11-0x00007FF886A60000-0x00007FF887521000-memory.dmp
memory/1128-12-0x00007FF886A60000-0x00007FF887521000-memory.dmp
memory/1128-15-0x00007FF886A60000-0x00007FF887521000-memory.dmp
memory/1128-16-0x00007FF886A60000-0x00007FF887521000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-26 10:59
Reported
2024-06-26 11:03
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |