8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Size

15.3MB
MD5

9240aca1f525f6e95cda49f229c524a9
SHA1

2e8c54593b569fe814e1832b9178458a1a29502b
SHA256

8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
SHA512

235c9e34a23f494de891d2aee96aec631990ef6bef810e3ef0e7aa45cb67f575451bf052d465dd61293193728bec43084d94a03ab1cf0abf1c1025ce23e3a334
SSDEEP

393216:1ZNVjchuWAR4qmA0ME5py3stm+VtSLuosYc4/sOG5PE:XNVjchuWARCVdA3sto6oT/sOG9E

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1108	EasePaint.exe

Loads dropped DLL 16 IoCs

pid	Process
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2344	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
2604	MsiExec.exe
1108	EasePaint.exe
1108	EasePaint.exe
1108	EasePaint.exe
1108	EasePaint.exe
1108	EasePaint.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\E:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\W:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\S:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\X:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\U:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\W:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\O:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\U:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\K:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\V:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\N:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\R:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\R:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\M:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\P:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\Y:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\Z:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\K:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\Y:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\P:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\S:	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
File opened (read-only)	\??\H:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	EasePaint.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICCCC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{94275635-E0AE-4349-A33D-518E4EB578B6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1FD.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cb3f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cb3f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC5A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4512	1108	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EasePaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4388	msiexec.exe
4388	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4388	msiexec.exe
Token: SeCreateTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeAssignPrimaryTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeLockMemoryPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeIncreaseQuotaPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeMachineAccountPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeTcbPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSecurityPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeTakeOwnershipPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeLoadDriverPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemProfilePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemtimePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeProfSingleProcessPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeIncBasePriorityPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreatePagefilePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreatePermanentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeBackupPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeRestorePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeShutdownPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeDebugPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeAuditPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemEnvironmentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeChangeNotifyPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeRemoteShutdownPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeUndockPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSyncAgentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeEnableDelegationPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeManageVolumePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeImpersonatePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreateGlobalPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreateTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeAssignPrimaryTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeLockMemoryPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeIncreaseQuotaPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeMachineAccountPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeTcbPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSecurityPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeTakeOwnershipPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeLoadDriverPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemProfilePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemtimePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeProfSingleProcessPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeIncBasePriorityPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreatePagefilePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreatePermanentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeBackupPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeRestorePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeShutdownPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeDebugPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeAuditPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSystemEnvironmentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeChangeNotifyPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeRemoteShutdownPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeUndockPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeSyncAgentPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeEnableDelegationPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeManageVolumePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeImpersonatePrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreateGlobalPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeCreateTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeAssignPrimaryTokenPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeLockMemoryPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeIncreaseQuotaPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
Token: SeMachineAccountPrivilege	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2676	msiexec.exe
2676	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2344	4388	msiexec.exe	84
PID 4388 wrote to memory of 2344	4388	msiexec.exe	84
PID 4388 wrote to memory of 2344	4388	msiexec.exe	84
PID 3108 wrote to memory of 1268	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	85
PID 3108 wrote to memory of 1268	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	85
PID 3108 wrote to memory of 1268	3108	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	85
PID 1268 wrote to memory of 2676	1268	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	86
PID 1268 wrote to memory of 2676	1268	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	86
PID 1268 wrote to memory of 2676	1268	8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe	86
PID 4388 wrote to memory of 2604	4388	msiexec.exe	87
PID 4388 wrote to memory of 2604	4388	msiexec.exe	87
PID 4388 wrote to memory of 2604	4388	msiexec.exe	87
PID 4388 wrote to memory of 1108	4388	msiexec.exe	88
PID 4388 wrote to memory of 1108	4388	msiexec.exe	88
PID 4388 wrote to memory of 1108	4388	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
"C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe
  C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe /i "C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ "EXE_CMD_LINE=/exenoupdates /forcecleanup /wintime 1727591659 " CLIENTPROCESSID=3108 CHAINERUIPROCESSID=3108Chainer
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1727591659 " CLIENTPROCESSID=3108 CHAINERUIPROCESSID=3108Chainer AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 00EE11F9CADE4EAD00DE0AAC4E865678 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A9C1916029AB606951218BDF1B19058
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Users\Admin\AppData\Local\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions\EasePaint.exe
  "C:\Users\Admin\AppData\Local\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions\EasePaint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 680
    3⤵
    - Program crash
    PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1108 -ip 1108
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cb42.rbs

Filesize
3KB

MD5
dcd4a34eb46146fb04d3ec03b86d3e6e

SHA1
290d334c3f6c7c9b0d25ea08eb2611433516ffb8

SHA256
55ac8a8c643edea1cd87d8b6cad3a07fa38165f391466781d0e7b1316ebedd45

SHA512
8ab121e78d362912c6d84af49fe7bd59ba4307c670d2a426e81bcd38445f465e6ac6366e9ae7122369f8b19498f0e1edec0e9e3688d95b0ea94b0183f6a66248

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC6FA.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC874.tmp

Filesize
1.1MB

MD5
e612b2f3c68a7d5c34592c88778766b2

SHA1
e18329c9f763f923682408032b7b35a4e62fdf81

SHA256
403869ed494bcbc3e535b492f2ebfad95748049e203ff7c31ac1afb38d8909ed

SHA512
753c8d4600595c0b83f1a5bca9da637d56d7778ffd74a90942ee243e6b998c113e372b35cde4aa90b4a11152176812e354a6c0761b169243ecf5d3a9c793b543

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiCA35.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\EasePaint.exe

Filesize
2.3MB

MD5
95d5fac09d8df14a4890fb72e6ba046e

SHA1
c04bd301260b8229e2929ad21b1a2eb5dcaade5c

SHA256
6e2de2230a751ec89bb757595c466b846b5ac6efb8f17c67e5af78c98b60b798

SHA512
2d2414a67facb92e0317b67cec12413db7d46d08de490ca21aca897cab6f7e17dc26ed758a394d741fa5885f0092f7924e36ab5b130f6482b4154c0c7f71fdc4

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\FilesystemDialogsCOM.dll

Filesize
1.0MB

MD5
b3d2f2c1b613083271e85148e8c0df5b

SHA1
77d24cef6c2b2118dcade8e6e5145599ba96f9cf

SHA256
bb841e22ff485ea6f79808a554baa8fb13f8971a4549f09bc6665efa19115f37

SHA512
d0ca04a63fe75f2faddb3e4aaeb7969a817157568112af2f152aa88bbc99ec5607f76b75ce4b4104a1cd1fd5a8a3cf8240031db427d83bdbc993ae88f99815a9

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\NTFSSecSuiteSupport.dll

Filesize
1.3MB

MD5
8c4a6fb92591c4cf3cfb533e596a70e1

SHA1
520fcbdaef0758a63778991c1b61cfc84e114129

SHA256
c4842e933afdd6564203ad0233c66977191491d6ad157f3abf7912fe0ed098f1

SHA512
2f33b68814e5fb01c3096126a1b34af233c2809496474799b1334e77e12ec345e75909ad145d25f98dd13085461b6966edd798b672ad07ca859a6d754bd97b52

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\Patch.db

Filesize
5.5MB

MD5
72a339407ed3bf90b30d376aafe133c0

SHA1
9c76926f2537130ce78c511402542ecd7674c179

SHA256
409d0cff7bd83cdfad50af1eed3e73d49fe086a4ed4e5145e8df6ee900287f45

SHA512
2262a8e7bfc2958a55801a97b4c14b63af3808a0edec8b4bb4f8553a2d58225bf8574a20610bd664e887565c5b73ea2d8cdb388fa81a6854e543028df37338e8

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\Updates\Pricing.wav

Filesize
3.1MB

MD5
fbf440a7ec6cd8461cf157c2b806ca96

SHA1
34a724a22c8068ba5a8623aa53db5fb78d6a8818

SHA256
07501ab76061b9bf07f33107b979545188e4109cad2a36b1827a72f0816dd416

SHA512
1b745482d630911fd865ce1c680547bfa1db2b186e8e6fed29a6ea29032bc3b9bc3fa4a53a18d4abc89d7650a49f66179851526f726378be596011e62b81a18f

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\adv.msi

Filesize
3.2MB

MD5
d52c61e64e634a68f843764e434a0b90

SHA1
a634063b053b3027cf6a501c6cfc407532a7f480

SHA256
2f0573d8ba3795907e2789d90fc2deccb97538f580524c1442a87a0cf76374ad

SHA512
7b7cdc88def71da54202b3e0a3cff6a063ea3d51fa83e07910dc2cdf92b3647913febe16aa6da29012485e15fa9e6ce0360e136e8918d9ed8943ca577b5eb7de

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\libcurl.dll

Filesize
471KB

MD5
457dc112a88076c71724dc22a3f4d90f

SHA1
7d69fd4f50b3b50b4954b1c5fcc2fd40ceccccaa

SHA256
b2204979fdcfbede97ac011416d65685edf4bf8c4f93345d249fda5a45027553

SHA512
d30abe00d5c4cd488651aeb835f207bea05a13e0c44fd51c506a337241967a59daa7c8658c1df0b07ec4e028ce4c3d7207754b2072af3cfc48bb887046c4d3eb

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\update2.dll

Filesize
5.2MB

MD5
f70248b277670a991bbe4332ea9f660a

SHA1
dec54ac94560f091c3b4f09bd582cf4042ccb7ab

SHA256
7363d5bb29384e79a98b385b7e515116f8833e9942abdb08c51f7f4a6a2c1c1a

SHA512
1fd8ded29df31fc88f63012f6664742148313f4296981544eb70e2f19937c728729a0093a993af1263448d1bf8ce39a32be4bdddae03701cc0a2a15fb2de205d

Download Submit
C:\Users\Admin\AppData\Roaming\Xiamen Baishengtong Software Technology Co. Ltd\Ease Paint Solutions 2.2.0.0\install\EB578B6\ycomuiu.dll

Filesize
2.9MB

MD5
6f51d7ba61e94a929c55f687d8ac4350

SHA1
c26a486c56f18bb467a7fdce4e63f3357c593f52

SHA256
fdc3c749eb7f8436675f93ca51e409aa8824b0d9232d1fd4d2514563493e40e9

SHA512
dc47a863fa1727d855068461059726ac8715de760ba9306dc44260f3aea41b01e470e49264dd3a8f8e73a493c547f17f18560e3ab92122131c6b6f8cee4b7eb4

Download Submit
C:\Windows\Installer\MSICCCC.tmp

Filesize
877KB

MD5
a67acb81551a030e01cda17fa4732580

SHA1
9f6b54919ee967fddf20e74714049b8c13640083

SHA256
107fd7ee1eaf17c27b4ed25990acace2cb51f8d39f4dfc8ef5a3df03d02e1d34

SHA512
30cc0870797220e23af40d5f50a9ce823c1120fba821ff15e057587c2a91c7247058e9a8479088047b9dc908c5176793e6f3ccd066da30bd80e1179649b2f346

Download Submit
memory/1108-122-0x0000000071740000-0x0000000071852000-memory.dmp

Filesize
1.1MB

Download
memory/1108-126-0x0000000006210000-0x0000000006369000-memory.dmp

Filesize
1.3MB

Download
memory/1108-131-0x0000000071740000-0x0000000071852000-memory.dmp

Filesize
1.1MB

Download