Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 00:31
General
-
Target
9e7838d0ec3add8fde66e4fee5d19b41.exe
-
Size
2.7MB
-
MD5
9e7838d0ec3add8fde66e4fee5d19b41
-
SHA1
e37263969a2b47bf21afb51a4b6c23d95de61eed
-
SHA256
41159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
-
SHA512
77970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e7838d0ec3add8fde66e4fee5d19b41.exe"C:\Users\Admin\AppData\Local\Temp\9e7838d0ec3add8fde66e4fee5d19b41.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9e7838d0ec3add8fde66e4fee5d19b41
SHA1e37263969a2b47bf21afb51a4b6c23d95de61eed
SHA25641159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
SHA51277970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9e7838d0ec3add8fde66e4fee5d19b41
SHA1e37263969a2b47bf21afb51a4b6c23d95de61eed
SHA25641159a4fa73969a811b4490345ca4a7d1cb0fa7ccca12f14d67cf7a74b05e147
SHA51277970c54dd5601227b66710503c7367a6cd15fcf6502ac316d0fd8c0dba1182b1890c04de93b969e76b80d03f7c7ffbb16873e28f2bd5b44945949983389980a
-
memory/3624-121-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-118-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-122-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/3624-120-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/3624-119-0x00000000010C0000-0x00000000017B8000-memory.dmpFilesize
7.0MB
-
memory/4036-123-0x0000000000000000-mapping.dmp
-
memory/4036-127-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-126-0x00000000778E0000-0x0000000077A6E000-memory.dmpFilesize
1.6MB
-
memory/4036-128-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-129-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB
-
memory/4036-130-0x00000000013C0000-0x0000000001AB8000-memory.dmpFilesize
7.0MB