ploutus | 165b5a81a861e79f1e333226cb8e120023a4df4ba913e62677fdbb43ca212c02

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paint.NET_v4.2.10.exe
Size

9.9MB
MD5

29f8c3e869f2396f8640625c913b0b87
SHA1

1b7c0a1b3175ff37296fff1d8c65a25c6232cfdd
SHA256

165b5a81a861e79f1e333226cb8e120023a4df4ba913e62677fdbb43ca212c02
SHA512

34fa3218bc90a759e7975bcc4f3541080628ee3a42085c69d9cfa3aff62fd15e663c0c5936c0e17ab4ee7714e8ef205d2d69bf705ea650f0cfa5735140ef2404
SSDEEP

196608:uoOiJ3jKzTHHzUNl2PJk2g6RHZl22Cysj4Lk9gC4zuqWRZa5:uRi9Qn4OPJk/1h4LAgC4zFt5

Score

10^/10

ploutus atm backdoor discovery

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000100000002aa91-416.dat	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus

Executes dropped EXE 2 IoCs

Processes:

SetupShim.exeSetupFrontEnd.exe

pid	Process
1200	SetupShim.exe
3188	SetupFrontEnd.exe

Loads dropped DLL 12 IoCs

Processes:

Paint.NET_v4.2.10.exeSetupFrontEnd.exe

pid	Process
4852	Paint.NET_v4.2.10.exe
4852	Paint.NET_v4.2.10.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe
3188	SetupFrontEnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Paint.NET_v4.2.10.exeSetupShim.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paint.NET_v4.2.10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupShim.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Paint.NET_v4.2.10.exeSetupShim.exe

description	pid	Process	procid_target
PID 4852 wrote to memory of 1200	4852	Paint.NET_v4.2.10.exe	80
PID 4852 wrote to memory of 1200	4852	Paint.NET_v4.2.10.exe	80
PID 4852 wrote to memory of 1200	4852	Paint.NET_v4.2.10.exe	80
PID 1200 wrote to memory of 3188	1200	SetupShim.exe	81
PID 1200 wrote to memory of 3188	1200	SetupShim.exe	81

C:\Users\Admin\AppData\Local\Temp\Paint.NET_v4.2.10.exe
"C:\Users\Admin\AppData\Local\Temp\Paint.NET_v4.2.10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe
  SetupShim.exe /suppressReboot
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe
    "SetupFrontEnd.exe" SetupShim.exe /suppressReboot
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Base.dll

Filesize
1.9MB

MD5
3e8a50c45bd084e08322ae6ef01b8937

SHA1
d7c9a1a16fd8ee0b1aba43d749c4d1a157549301

SHA256
e1798bc403e34f935b5b1e6a3b1716a1c1c3b806a5bf8bbd6627d70da7c54c6c

SHA512
c2cee0e76d7f1d8975f3f3c55f80ab65e139c01c1d82626c456b23ace2086fa6bc64e0572bf705fe4a8b7ba23e2b26ee57436c1e7286d52b65547037d6cf0c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Core.dll

Filesize
882KB

MD5
f385235ce158041f9341b15306d15f72

SHA1
e828f3c56dcdd447d262ab6fb31c0d2daa955480

SHA256
6d99d6bcc9bc6a79a36882b94aa74fc3970662ecfc2602581414ba462d6a4abb

SHA512
0fd638ccccb7340480fd78a4cda5c1ca9a1d6aeac04fff0eefbb221859f62603ad902fc3207c8198374e688898b398d0b0cd47970a6f84b6d9aa7a15d7cdb752

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Data.dll

Filesize
111KB

MD5
92d79a7aa4d760630b6e95c1f780efcf

SHA1
ee869c44c75ebbb2d212563166a2fb89f1ca5727

SHA256
56ded3f53655fe790615e6e5f3f03f76a7b072175350d1251c56fe307a4565b0

SHA512
4d562e33495494bcde54bb266b93bf6002eef58cfc6588affae309cbc687f15b9d032b499a66e81e0c90e79a2c920b601850c9c86c57708c3837bbe0300c38c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Framework.dll

Filesize
397KB

MD5
28e38e5795269d3f9a5dcf4c7f697242

SHA1
5bab1bbb4fd066554f238d46d2abfc7f83210f0a

SHA256
71a770fc1c1f517d402f509d49a24431a01ecec718973b8d2a0f5ca4995a7de9

SHA512
6e7f362b3c47cd44e00010fdb065ff729fc9b23265c39508c1140e5e642012f97afd0bdb53a720dfe8320b31a64e9e93a0323a6131bb13c6400b649825e2a7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Resources.dll

Filesize
986KB

MD5
b861279d8df142e227fd2b0ff8687937

SHA1
c8d3e01375cd7cd967f62314a8c54bcdbec02c53

SHA256
db45e3b7e361ce9794c1008d34e2980e5f2555a0bc78770bc8dd28f594c7e3f9

SHA512
44dce127677ed5db298c79814827a1bf948a19156a576673e9d0d2f48adfe4aa97d9f5719a810e83d3f422d60ffb3a08a949182f44471bef8df08b0578870a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.KO.resources

Filesize
158KB

MD5
a3d27e1d3ad5ffbfc4010d2e3e1c4ce2

SHA1
2fdfc89a6ab907772b0750a63f0bef4137da6ca1

SHA256
b00231fdf9cff70c03488618354d3f383fb7dc4a9c15c526665664530d793398

SHA512
d5e721e7941ff7a28c5b1e548d769bda104afb672547dacc0f89cfd7f2dc4ab0301daf2362701dd91a999e09950dc154a0513663ce4a1eb8e966c9526d3d2128

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.Strings.3.resources

Filesize
148KB

MD5
dee7ebb8ad07ac4e2235310d873b0cb7

SHA1
adb33d345fbe509d008b046dcc7b837ee239f58d

SHA256
014683782e81b4d48a55d6583c66ba5ecf4fad9b30acd3d033de2a0382215dff

SHA512
60accde520988e27048e6ada5cd3afa11df172bf4d619f6efbb88e838916c6482d8b3df3fcf6d45112f41f10fa55002305da0b5a0ebb92df13c1891587655c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.SystemLayer.dll

Filesize
587KB

MD5
e6f63db25d665e0c211581312df16797

SHA1
2f48a1be6943625817c06c9b2f7887935bcf2384

SHA256
9c1789a4eee5a7ebcdf9b7d36781cfdda6e64728058fdcd54b5fccb45a7ec827

SHA512
459094186b01b244ae80dee321b7cf59075eeda21db4f989ce71b65031363c3ee2eb2a64da616f7b2c4be5e45654b286e1e7d1122aea338c1bde6e4778422fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet.exe

Filesize
1.9MB

MD5
95e69a189ecfd29573b0546039812cc4

SHA1
fcbdb781ec8f3ae705401bd5cabba6ee0301996d

SHA256
7a26dee46d62fc3cf3e9a736d87391110503b598a3eb9da3b95705b643bf3d60

SHA512
4c3a70dce20f8e7f027dc0ae52230a049f636a0e5e0db9f1a019602838b126678f66322ec6bd3944e4173e13a3aff08ce7b115536010f03f10be7fd7ad5994fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x64.msi

Filesize
42.1MB

MD5
31eb66f25819d9c80acba3d303e40698

SHA1
16195d7ace6f09041681f2bab2b019efe7512b60

SHA256
9ab5009f9d378785abb19f2e2e5cae5c6605c9309b365bb6e29f9a42e69e1eaf

SHA512
48a3381d666e30c08bd100cd19f1d146ee05c70f4e156582834bdcf429bbb58cca06be89a6efedd91c3567d539b0277cd6d95605578dc2a98ac3c6630bf3244b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\PaintDotNet_x86.msi

Filesize
42.1MB

MD5
350eba85d39c2f5f981bb58e5feaefe1

SHA1
8379eda5a89100a65d84f8c3727538a25c18b3bb

SHA256
b465582fee6edeed44f50d22dc2c59ac5975843333fc0fea16a900e3a5e73cc9

SHA512
f6d814fcc97b329ecaa620e53e13aa9b7217d1e1993e735c73b09b542b8ae16e7ac599021cb4c9660426b0dd0aeb0d1fbc3009bcad09488e6f315c0bb6b9cb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe

Filesize
87KB

MD5
208fd09a89a4092b4e26a52673c36451

SHA1
d8e202622fd00f8bfa68b218e5cacea357f3b955

SHA256
3172ac0e1876e9ceecdc3b20ee807eb5f50127661e83fcd57df75d5de8e04914

SHA512
dd83ff294b68be5ff1f2718aab580533d719f5e88a36d62c2fbaa4b035446e194196e4500da6b8a70ecad18deb24c763386be55e6340cbe997d726b6f80aa717

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupFrontEnd.exe.config

Filesize
1KB

MD5
caea319cc9a0ace3bc4b0148e37f9c73

SHA1
706d6bfe9e69e8e4ff2b1fb74458d8fafadc53e0

SHA256
addd1d295e7f0d28a16cc09ad18acbd52b393e151c994c4bee9d6d6262e42695

SHA512
5429c8b5f46a3ea09b9b1fd770f6f1d6d77c0f6ca62422ef0bf8b8d974059f314bea5a5a31019d908427ad4d5f12458333ed62fdd899e7b7490b14063d699cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\SetupShim.exe

Filesize
133KB

MD5
829f3a3164d7e6b1bd72a2412aefd0df

SHA1
2d656d236ea967245cb0b18d48355e4650863612

SHA256
40f630e6f8838fe6070fce2aef769530033d8bd6b8699e9565468a16f0e3f110

SHA512
7ddf8d47e1bb496fc83f865c92ee3f3b1aef7cfc4cacb63307dcdf931a33f700e8f3b2a225ee273412dd074883e3e389e5b94336cae98db0faa1284abbadfea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\X64\msvcp140_1.dll

Filesize
30KB

MD5
a0b595f95be9cce12bff7ef199f874c4

SHA1
7fc5f91033cd83f11ce03ab2478d9b29036e6535

SHA256
b05f3dfd4e999c3e110219fb59151cbaa322757f4f3ce52b64dddc853e5c105c

SHA512
182a0cc4227afb43228ebe5033977fcfb4c8ebb2f047d2decfab8f33453fd2262e62dd80b2b0f34cded9a8ee784d7449120a000aeb1949642bdf8cc563282b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\X64\msvcp140_codecvt_ids.dll

Filesize
26KB

MD5
e42f86965ceb093d95b9c93bd87b179d

SHA1
4184b271261b3eb9c0193e5e6874b8847b18dc22

SHA256
1e56cee876940affe9883aeccee9132280d03fd4282ab6552adf75fbeeed2bac

SHA512
6b355d468fd8214cf50cef7d30a9098c812b60f0215726da937361e0cf2d2b8362ae5bc2b88c5e8dd48298c13b1be1a52d7f68d075c2a8d9c93480354b0e8420

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\X64\vcruntime140.dll

Filesize
87KB

MD5
23105a395b807d9335219958b4d0cec1

SHA1
fb60050d82e3bc1be3b10877b9355f5d48e04854

SHA256
61832990e364dca5bfa2c61d930f00acaae6d1aaa3130392403455ae9a1125a5

SHA512
ef91d19e632d0d146fa68d52beb04ffcb9b972079cd9c255f44ea5201637a8b00907ec8e3358c7b5cc37338470e29e43dbaec7ddc0562810b49ab2e8115cc805

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\x64\PaintDotNet.SystemLayer.Native.x64.dll

Filesize
1.5MB

MD5
5b47cbd8660e4f41392d06768879d3fb

SHA1
c2b8b6b8b9aaa4ec41d8f3abdc4b0e38c0be6faf

SHA256
1ccd15386f3987d8b89d426918924a8e952b7b7d108cf3575151340b5a6464cb

SHA512
c815eba850c2d732113f1441bfeb30595509ecee415a3d0aca74ca7d16553fd7c20fbf9a81a2bd498428da770b26f674326d8606e7f0cb66291b419e4613a9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\x64\msvcp140.dll

Filesize
603KB

MD5
a1d30ef2114e18e26e2bb96555be81bf

SHA1
a5e3e5a5910dd0781caf0a9f58dd7b519de8c927

SHA256
f87819ae8c6f7c90d3237a1abb9809e8cba9dcd0c80ac3f0969a5e68ef652ca4

SHA512
5c5bdae87327b3fb724844087257a0ba0e7ad31c194ab5f632845e8f09633f63982817ca551d1735523b1a65763efa3c2ddc8789b3bf23324d7882456e3aa6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\x64\msvcp140_2.dll

Filesize
198KB

MD5
bbcf50b71928edb1c32c969d0533753c

SHA1
faca1db3873d478b17fc6791b94fae651202627a

SHA256
7d5d180c8e41b1964835b2550191e2d9054d8f4beff898ade67b3d5dd25b5101

SHA512
e3890679d21e76a19361cc181eda9323ba31fb1211124e40fa3c9834cb0bfab6f7b3b34cf349ee4d7b3cc10e50813ae728dd01dd254eee098f3971f07679d710

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\x64\vcomp140.dll

Filesize
156KB

MD5
5aea86cff3a0fa7625d2bd51fe260568

SHA1
ee1e3ded6d4e9a14a3a2668f8804e3b2bf591c6c

SHA256
bbcb6a4b9d113c46d13762e5687e14d95c599e34da59c3b4c4873b86a6f0653c

SHA512
6d2bb57e82324b7969d4ab1e7f1d4559b08f8407574b4ecd8399f3c950a67eda6d3189774ce95a2ed60c8d81797eb12cd326977f9ad6ca6e7ef4fea5561a8f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdnSetup\x64\vcruntime140_1.dll

Filesize
43KB

MD5
9040ed0fdf4ce7558cbffb73d4c17761

SHA1
669c8380959984cc62b05535c18836f815308362

SHA256
6cc4315daceb0522816c60678344466cb452426267f70c7faae925361674e774

SHA512
303143006c781260540e9d0d3739acc33f2d54f884358c7485599dd22b87cce9b81f68d6ad80f0f5bb1798ce54a79677152c1d3600e443e192aecd442ea0a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB066.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log

Filesize
592B

MD5
c1212fbe5d0d66b3086f35e3cee5513a

SHA1
b1917ee386e057832ae9439db0e5260dadcffe86

SHA256
16c3fcb05739e3e57652ea396c1c2fc4dcd3316fb6765149f6a98dc183d56942

SHA512
b8f24a4f5e10ed4512affa52e987bb1fb3ba968c3d290231e9c5e1a9dc3879513428e0fcf1566591d3a0d721d6c64f6c1bcc76a854d6dd2055974f647483bbd2

Download Submit
memory/3188-409-0x0000012FD40F0000-0x0000012FD4158000-memory.dmp

Filesize
416KB

Download
memory/3188-434-0x0000012FD2730000-0x0000012FD2731000-memory.dmp

Filesize
4KB

Download
memory/3188-419-0x0000012FED2C0000-0x0000012FED3BC000-memory.dmp

Filesize
1008KB

Download
memory/3188-417-0x0000012FED0D0000-0x0000012FED2BE000-memory.dmp

Filesize
1.9MB

Download
memory/3188-415-0x0000012FECC00000-0x0000012FECC94000-memory.dmp

Filesize
592KB

Download
memory/3188-438-0x0000012FECEE0000-0x0000012FED058000-memory.dmp

Filesize
1.5MB

Download
memory/3188-413-0x0000012FECCF0000-0x0000012FECEDC000-memory.dmp

Filesize
1.9MB

Download
memory/3188-441-0x0000012FD28B0000-0x0000012FD28D0000-memory.dmp

Filesize
128KB

Download
memory/3188-442-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3188-411-0x0000012FECA20000-0x0000012FECB00000-memory.dmp

Filesize
896KB

Download
memory/3188-445-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3188-407-0x0000012FD2310000-0x0000012FD232A000-memory.dmp

Filesize
104KB

Download
memory/3188-405-0x00007FFB3B213000-0x00007FFB3B215000-memory.dmp

Filesize
8KB

Download
memory/3188-447-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/3188-449-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download