Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 17:30
General
-
Target
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe
-
Size
5.4MB
-
MD5
6313fcca4988a89b15e1e68b7c9ee96e
-
SHA1
a53ce6d8455d9f0cea51c0863425532f96d3250d
-
SHA256
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554
-
SHA512
c13536c79b25b0b048fa255f7dffccb10b1d4c9515c303095d1787021fc51c37464dadddaf30f5c6d01859316447ff874e114a8025e4389237cf704dcb616398
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe"C:\Users\Admin\AppData\Local\Temp\a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wbknjiwxk.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dgawkeqh.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
f0372e420e6d21d3620c211b2d2c5d56
SHA15c1465d45edaffcd012a45a70cfd01330c057a7a
SHA2560d5938975936f8247c9f19e821ea16fb459bbfd52fc70345ef09d34303baf284
SHA512c3028a89ec2f1c0425385757705ba7a6fbbb8fe4a4762afe7240e95e098ee5ca88e36beeb847c58eb54e92ffc43d6a9c5ebfebfdf4cfe41986801f36a648dec9
-
C:\Users\Admin\AppData\Local\Temp\dgawkeqh.vbsMD5
39d1eab75da77fc2dc0d1cc6558f6c08
SHA1afe1594554d4da1a43b3c5c464b94d426fdaa4be
SHA2563f2a8a88e91b158edfe1df12149b654fc6e38092835521d5533eeb88c1c1b4b6
SHA512c0e8349bccabb58d5c49ac8ccc321acff5e99f29400bf88657cac56031efc134aae39e8a86391283a76f29675f469e1a2cb3d90f2f2f42161cc4c97b30d1df15
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\wbknjiwxk.vbsMD5
8c7d757b34952cea6bd7321080947188
SHA181e0d17c74a962030cc8759cba931a8342307abc
SHA256c5bf5562e44b63c5f0c374e5de3f66a568df84658a6026259c801984f98e600a
SHA512b9b688c6007306d3bb9a9ca38356a320812545230ae52e85ab03b139d61f1a758c30d6ea6f8c28e989410798deb383b5e2012029fb27538fac16c3fd0abfb868
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
\Users\Admin\AppData\Local\Temp\nsjB3B2.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1252-132-0x0000000000000000-mapping.dmp
-
memory/1696-142-0x0000000000000000-mapping.dmp
-
memory/2244-122-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-124-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2244-127-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-116-0x0000000000000000-mapping.dmp
-
memory/2244-126-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-123-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2412-130-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-131-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-128-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-125-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2412-129-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-119-0x0000000000000000-mapping.dmp
-
memory/4044-137-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-141-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4044-140-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-139-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-138-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-134-0x0000000000000000-mapping.dmp