Malware Analysis Report

2024-10-18 22:17

Sample ID 240626-m3p8es1gla
Target Easy Paint Tool SAI 1.2.0 (1).zip
SHA256 2eee0c75e0fd7644febee9236fe89ae382de3b96e8c86b59fbf111752b62993b
Tags
bootkit persistence qr link execution
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

2eee0c75e0fd7644febee9236fe89ae382de3b96e8c86b59fbf111752b62993b

Threat Level: Shows suspicious behavior

The file Easy Paint Tool SAI 1.2.0 (1).zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence qr link execution

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Program crash

One or more HTTP URLs in qr code identified

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:59

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:03

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"

Network

N/A

Files

memory/2732-22-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:03

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe

"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:01

Platform

win10v2004-20240508-en

Max time kernel

11s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe

"C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sai.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:03

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:01

Platform

win7-20240221-en

Max time kernel

15s

Max time network

16s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"

Network

N/A

Files

memory/1948-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

memory/1948-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1948-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1948-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1948-6-0x0000000002340000-0x0000000002348000-memory.dmp

memory/1948-5-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/1948-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1948-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:03

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\sfl.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:01

Platform

win10v2004-20240611-en

Max time kernel

13s

Max time network

16s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\blotmap\Grainy.ps1"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4dc

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp

Files

memory/1128-0-0x00007FF886A63000-0x00007FF886A65000-memory.dmp

memory/1128-1-0x00000235908F0000-0x0000023590912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14omkvji.a3p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1128-11-0x00007FF886A60000-0x00007FF887521000-memory.dmp

memory/1128-12-0x00007FF886A60000-0x00007FF887521000-memory.dmp

memory/1128-15-0x00007FF886A60000-0x00007FF887521000-memory.dmp

memory/1128-16-0x00007FF886A60000-0x00007FF887521000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-26 10:59

Reported

2024-06-26 11:03

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Easy Paint Tool SAI 1.2.0\Paint Tool SAI 1.2.0\help.chm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A