Overview

overview

10

Static

static

10

Paint.NET_v4.2.10.exe

windows11-21h2-x64

10

PaintDotNe...er.dll

windows11-21h2-x64

1

PaintDotNet.exe

windows11-21h2-x64

1

PaintDotNet_x64.msi

windows11-21h2-x64

6

SetupShim.exe

windows11-21h2-x64

3

System.AppContext.dll

windows11-21h2-x64

1

System.Buffers.dll

windows11-21h2-x64

1

System.Col...nt.dll

windows11-21h2-x64

1

System.Col...ic.dll

windows11-21h2-x64

1

System.Col...ed.dll

windows11-21h2-x64

1

System.Col...ns.dll

windows11-21h2-x64

1

System.Com...nc.dll

windows11-21h2-x64

1

System.Com...es.dll

windows11-21h2-x64

1

System.Com...er.dll

windows11-21h2-x64

1

System.Com...el.dll

windows11-21h2-x64

1

System.Console.dll

windows11-21h2-x64

1

System.Dat...on.dll

windows11-21h2-x64

1

System.Dia...ts.dll

windows11-21h2-x64

1

System.Dia...ug.dll

windows11-21h2-x64

1

System.Dia...fo.dll

windows11-21h2-x64

1

System.Dia...ss.dll

windows11-21h2-x64

1

System.Dia...ce.dll

windows11-21h2-x64

1

System.Dia...er.dll

windows11-21h2-x64

1

System.Dia...ls.dll

windows11-21h2-x64

1

System.Dia...ce.dll

windows11-21h2-x64

1

System.Dia...ng.dll

windows11-21h2-x64

1

System.Dra...es.dll

windows11-21h2-x64

1

System.Dyn...me.dll

windows11-21h2-x64

1

System.Glo...rs.dll

windows11-21h2-x64

1

System.Glo...ns.dll

windows11-21h2-x64

1

System.Glo...on.dll

windows11-21h2-x64

1

System.IO....le.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    90s
  • max time network
    126s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-09-2024 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PaintDotNet_x64.msi

  • Size

    42.1MB

  • MD5

    31eb66f25819d9c80acba3d303e40698

  • SHA1

    16195d7ace6f09041681f2bab2b019efe7512b60

  • SHA256

    9ab5009f9d378785abb19f2e2e5cae5c6605c9309b365bb6e29f9a42e69e1eaf

  • SHA512

    48a3381d666e30c08bd100cd19f1d146ee05c70f4e156582834bdcf429bbb58cca06be89a6efedd91c3567d539b0277cd6d95605578dc2a98ac3c6630bf3244b

  • SSDEEP

    196608:UuSd3334PMCsfg9cQrAbJAkQMlbVPEAG+kaAG0Uf21d3334AX1aTFnD4YQzLMViw:P/MCsecGPM/jGVJ1mFDD9

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PaintDotNet_x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4916
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3824
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0B89A98FD4480BB9FBCA5DACFD0C7164
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
    Filesize

    2KB

    MD5

    4527a9e282931651682b8c77546c12fd

    SHA1

    4962fa85079940fa68b0868f0f73863acaefe59f

    SHA256

    0ee93741226ca6cbbc44858debb1b29cb0183845e53e2dd5ff88467ddde87b43

    SHA512

    ab1fd0fdf1de913a5cab17d1d6701f5d748cdc99d653d468c14ba27311d15934e5b08ae77ee29bf0cdb39bd92d19d1fdce814831c845055bfd2e411a0fde1e1f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
    Filesize

    1KB

    MD5

    211adfa29f48f36728d9f888c33eb562

    SHA1

    2d76c056b5efbdfa1ff8bbf0def095e97304d5ea

    SHA256

    54c562fe1e7ade20685ccb421add65043c63dbb424aa976259abc95f6261bdc9

    SHA512

    5a3f78dfa06c748f03b75c5b68373589ef23e4342f51d4b5aa35c349e1a8a64ee0779b52340584889a858f9c440a7a132278e1f6dc838490972529941ed9d05d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_B3A35C2FC4F12D9008DA0464762D9ED7
    Filesize

    510B

    MD5

    edf6a7396d85ecd1e4e9e8290598a9e7

    SHA1

    fe4d9505c4c98db32f8d75ba437594289100b0bd

    SHA256

    9efd62d9d96c176a9430b31f3cb65b2088b9439a5831659c60360f4bab5520b6

    SHA512

    0d17c21c0ec3731dec341d8d88f92c63a74b9215d3ec4e75d34d924b8262f2954088f15c720818bbb2340bcd8f63eb4ab453eb7e40c0d304404968df07752e5e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
    Filesize

    490B

    MD5

    c55c6ffa2edda84919e74ae79205d67b

    SHA1

    32fb5873559a1a7fe8eaab3aff37ba991992d9a3

    SHA256

    29ae3fc3dfbcf708b1aa7db94a8aeae153a7f714de0c1ae2ac8fce5755f77aee

    SHA512

    90f8db6e49b32997af0d3aca5a5f399107bca3ff573878da0bf14551bc4d19d571b05e999004c793eb9c003c129829bd7cb9d09cb2f244bd1b54341e99ff75d0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
    Filesize

    486B

    MD5

    c98d477cd554afacf075a74b8ac65bd2

    SHA1

    21147cfd227172013d7bce0ecc9e152cd4642911

    SHA256

    2734f7a3f81f9ee6e6e623832427e2344c0b9b5203f8edd29f1a85e832fb679c

    SHA512

    4d08ebf2e211f432c7d4680d1d81582d747536f45bd190112e1cd9cfc58d006377c9f1f8b25234359d2907150a62458059bfc19b92c8c89a1acb7f1b3504c626

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_B3A35C2FC4F12D9008DA0464762D9ED7
    Filesize

    490B

    MD5

    4caa09d190f887bed3ba3896d290ffdb

    SHA1

    16305c2e4dfd568d55f8506d21bdbd5d42e20d72

    SHA256

    441fe584a1f7814e66747b60ab23e4b665a14f9e53d212db29c0a38e6893e86a

    SHA512

    d6caa288ddee8f4d8cd537205fac0bc0663410453f0698785f6a70d3c5d8d23db6b4e9ce76551f24834f134c210ea40fec1580702d7de8237830849caf7f43f4

    Download Submit
  • C:\Windows\Installer\MSIAC1E.tmp
    Filesize

    294KB

    MD5

    3dad1eaf900ac0d557048901f39c40ec

    SHA1

    d47fcbc48af53bf2435acaeb5390a89bf0a19e33

    SHA256

    ae90445e7c28c72eace289a334d483daa051e654b8f12a95dd1c7a25287c815b

    SHA512

    7886f624736fafcd45ceae44f5964bf6b5d31f2139f6ac628f6f3dd91eb80c740267aac4b2ecd493064aaf88f69ac8c883159d36a119ce81840919661008aa4c

    Download Submit
  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    12.8MB

    MD5

    bd8c37b4e51440243ba47ec7a40767e9

    SHA1

    41fdb75aab714756474fe6a0b87c05fd74b5ea3f

    SHA256

    729ef5deb5aa3ae5cce967def919ae770ed6d88e937e50b27417451e809d7141

    SHA512

    0259af6f10cc70d77b14a6326104a20b34ceb7ded5fd6ef52ca5746f468142ecc7cca9d1988eeb5702739b51ef58e2658218af86fa66a67434ca72f18fd4cc75

    Download Submit
  • \??\Volume{85315c9a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{99b97cc0-e770-4ab2-8bf0-08c7f1a74441}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    4a58d0a269ae060b2ccf4fb81c7f9eb2

    SHA1

    63149b3e240642054c6df2489c6b6f20b5390618

    SHA256

    7816e9c48054bb77d0c33264aa2625b4773bf4a4741d1a9b6667768c48ccd7f1

    SHA512

    fa174b798e82523adbd800f0fb8ed9bec448b43e98dbb53fc0f7c2e5ec815352cc9aacaab2d70c7df24e9b07ec64076d1cc8b4e4042ab0efd522e9c01b903387

    Download Submit