Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 17:30
Static task
static1
General
-
Target
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe
-
Size
5.4MB
-
MD5
6313fcca4988a89b15e1e68b7c9ee96e
-
SHA1
a53ce6d8455d9f0cea51c0863425532f96d3250d
-
SHA256
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554
-
SHA512
c13536c79b25b0b048fa255f7dffccb10b1d4c9515c303095d1787021fc51c37464dadddaf30f5c6d01859316447ff874e114a8025e4389237cf704dcb616398
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 30 1696 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 2244 orchic.exe 2412 quothavp.exe 4044 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
quothavp.exeDpEditor.exeorchic.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion orchic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion orchic.exe -
Loads dropped DLL 1 IoCs
Processes:
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exepid process 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida behavioral1/memory/2244-122-0x0000000001130000-0x000000000181A000-memory.dmp themida behavioral1/memory/2244-123-0x0000000001130000-0x000000000181A000-memory.dmp themida behavioral1/memory/2244-126-0x0000000001130000-0x000000000181A000-memory.dmp themida behavioral1/memory/2412-128-0x0000000000B30000-0x000000000120E000-memory.dmp themida behavioral1/memory/2244-127-0x0000000001130000-0x000000000181A000-memory.dmp themida behavioral1/memory/2412-129-0x0000000000B30000-0x000000000120E000-memory.dmp themida behavioral1/memory/2412-130-0x0000000000B30000-0x000000000120E000-memory.dmp themida behavioral1/memory/2412-131-0x0000000000B30000-0x000000000120E000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/4044-137-0x0000000000080000-0x000000000076A000-memory.dmp themida behavioral1/memory/4044-138-0x0000000000080000-0x000000000076A000-memory.dmp themida behavioral1/memory/4044-139-0x0000000000080000-0x000000000076A000-memory.dmp themida behavioral1/memory/4044-140-0x0000000000080000-0x000000000076A000-memory.dmp themida -
Processes:
DpEditor.exeorchic.exequothavp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orchic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quothavp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 2244 orchic.exe 2412 quothavp.exe 4044 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe File created C:\Program Files (x86)\foler\olader\acledit.dll a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
quothavp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString quothavp.exe -
Modifies registry class 1 IoCs
Processes:
quothavp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings quothavp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4044 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 2244 orchic.exe 2244 orchic.exe 2412 quothavp.exe 2412 quothavp.exe 4044 DpEditor.exe 4044 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exequothavp.exeorchic.exedescription pid process target process PID 3768 wrote to memory of 2244 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe orchic.exe PID 3768 wrote to memory of 2244 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe orchic.exe PID 3768 wrote to memory of 2244 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe orchic.exe PID 3768 wrote to memory of 2412 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe quothavp.exe PID 3768 wrote to memory of 2412 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe quothavp.exe PID 3768 wrote to memory of 2412 3768 a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe quothavp.exe PID 2412 wrote to memory of 1252 2412 quothavp.exe WScript.exe PID 2412 wrote to memory of 1252 2412 quothavp.exe WScript.exe PID 2412 wrote to memory of 1252 2412 quothavp.exe WScript.exe PID 2244 wrote to memory of 4044 2244 orchic.exe DpEditor.exe PID 2244 wrote to memory of 4044 2244 orchic.exe DpEditor.exe PID 2244 wrote to memory of 4044 2244 orchic.exe DpEditor.exe PID 2412 wrote to memory of 1696 2412 quothavp.exe WScript.exe PID 2412 wrote to memory of 1696 2412 quothavp.exe WScript.exe PID 2412 wrote to memory of 1696 2412 quothavp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe"C:\Users\Admin\AppData\Local\Temp\a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wbknjiwxk.vbs"3⤵PID:1252
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dgawkeqh.vbs"3⤵
- Blocklisted process makes network request
PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
f0372e420e6d21d3620c211b2d2c5d56
SHA15c1465d45edaffcd012a45a70cfd01330c057a7a
SHA2560d5938975936f8247c9f19e821ea16fb459bbfd52fc70345ef09d34303baf284
SHA512c3028a89ec2f1c0425385757705ba7a6fbbb8fe4a4762afe7240e95e098ee5ca88e36beeb847c58eb54e92ffc43d6a9c5ebfebfdf4cfe41986801f36a648dec9
-
C:\Users\Admin\AppData\Local\Temp\dgawkeqh.vbsMD5
39d1eab75da77fc2dc0d1cc6558f6c08
SHA1afe1594554d4da1a43b3c5c464b94d426fdaa4be
SHA2563f2a8a88e91b158edfe1df12149b654fc6e38092835521d5533eeb88c1c1b4b6
SHA512c0e8349bccabb58d5c49ac8ccc321acff5e99f29400bf88657cac56031efc134aae39e8a86391283a76f29675f469e1a2cb3d90f2f2f42161cc4c97b30d1df15
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\wbknjiwxk.vbsMD5
8c7d757b34952cea6bd7321080947188
SHA181e0d17c74a962030cc8759cba931a8342307abc
SHA256c5bf5562e44b63c5f0c374e5de3f66a568df84658a6026259c801984f98e600a
SHA512b9b688c6007306d3bb9a9ca38356a320812545230ae52e85ab03b139d61f1a758c30d6ea6f8c28e989410798deb383b5e2012029fb27538fac16c3fd0abfb868
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
\Users\Admin\AppData\Local\Temp\nsjB3B2.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1252-132-0x0000000000000000-mapping.dmp
-
memory/1696-142-0x0000000000000000-mapping.dmp
-
memory/2244-122-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-124-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2244-127-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-116-0x0000000000000000-mapping.dmp
-
memory/2244-126-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2244-123-0x0000000001130000-0x000000000181A000-memory.dmpFilesize
6.9MB
-
memory/2412-130-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-131-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-128-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-125-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2412-129-0x0000000000B30000-0x000000000120E000-memory.dmpFilesize
6.9MB
-
memory/2412-119-0x0000000000000000-mapping.dmp
-
memory/4044-137-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-141-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4044-140-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-139-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-138-0x0000000000080000-0x000000000076A000-memory.dmpFilesize
6.9MB
-
memory/4044-134-0x0000000000000000-mapping.dmp