Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 00:31
Static task
static1
Behavioral task
behavioral1
Sample
9e7838d0ec3add8fde66e4fee5d19b41.exe
Resource
win7-en-20211014
General
-
Target
9e7838d0ec3add8fde66e4fee5d19b41.exe
-
Size
2.7MB
-
MD5
9e7838d0ec3add8fde66e4fee5d19b41
-
SHA1
e37263969a2b47bf21afb51a4b6c23d95de61eed
-
SHA256
41159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
-
SHA512
77970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 4036 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9e7838d0ec3add8fde66e4fee5d19b41.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e7838d0ec3add8fde66e4fee5d19b41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e7838d0ec3add8fde66e4fee5d19b41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/3624-118-0x00000000010C0000-0x00000000017B8000-memory.dmp themida behavioral2/memory/3624-119-0x00000000010C0000-0x00000000017B8000-memory.dmp themida behavioral2/memory/3624-121-0x00000000010C0000-0x00000000017B8000-memory.dmp themida behavioral2/memory/3624-122-0x00000000010C0000-0x00000000017B8000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4036-127-0x00000000013C0000-0x0000000001AB8000-memory.dmp themida behavioral2/memory/4036-128-0x00000000013C0000-0x0000000001AB8000-memory.dmp themida behavioral2/memory/4036-129-0x00000000013C0000-0x0000000001AB8000-memory.dmp themida behavioral2/memory/4036-130-0x00000000013C0000-0x0000000001AB8000-memory.dmp themida -
Processes:
9e7838d0ec3add8fde66e4fee5d19b41.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9e7838d0ec3add8fde66e4fee5d19b41.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
9e7838d0ec3add8fde66e4fee5d19b41.exeDpEditor.exepid process 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe 4036 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4036 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9e7838d0ec3add8fde66e4fee5d19b41.exeDpEditor.exepid process 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe 4036 DpEditor.exe 4036 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9e7838d0ec3add8fde66e4fee5d19b41.exedescription pid process target process PID 3624 wrote to memory of 4036 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe DpEditor.exe PID 3624 wrote to memory of 4036 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe DpEditor.exe PID 3624 wrote to memory of 4036 3624 9e7838d0ec3add8fde66e4fee5d19b41.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e7838d0ec3add8fde66e4fee5d19b41.exe"C:\Users\Admin\AppData\Local\Temp\9e7838d0ec3add8fde66e4fee5d19b41.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9e7838d0ec3add8fde66e4fee5d19b41
SHA1e37263969a2b47bf21afb51a4b6c23d95de61eed
SHA25641159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
SHA51277970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9e7838d0ec3add8fde66e4fee5d19b41
SHA1e37263969a2b47bf21afb51a4b6c23d95de61eed
SHA25641159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
SHA51277970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
-
memory/3624-121-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-118-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-122-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-120-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3624-119-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/4036-123-0x0000000000000000-mapping.dmp
-
memory/4036-127-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-126-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/4036-128-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-129-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-130-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB