Analysis
-
max time kernel
110s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 17:12
Static task
static1
General
-
Target
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe
-
Size
2.8MB
-
MD5
b0bfa71857896435455b4384a4904dd2
-
SHA1
8336a87ff18d396c1bda1f59d0e5c9cd0c7e996f
-
SHA256
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a
-
SHA512
a330ef0ae0f2d48bc5a06202bf2b0c1aac672873dc9c6643a5215748a502302c063ef32357279fc65f16c8342e3f5810795475177cdf7e46bae30207da9b15fb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1296 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe -
Processes:
resource yara_rule behavioral1/memory/2696-118-0x00000000013E0000-0x0000000001B29000-memory.dmp themida behavioral1/memory/2696-119-0x00000000013E0000-0x0000000001B29000-memory.dmp themida behavioral1/memory/2696-120-0x00000000013E0000-0x0000000001B29000-memory.dmp themida behavioral1/memory/2696-121-0x00000000013E0000-0x0000000001B29000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1296-126-0x00000000009B0000-0x00000000010F9000-memory.dmp themida behavioral1/memory/1296-127-0x00000000009B0000-0x00000000010F9000-memory.dmp themida behavioral1/memory/1296-129-0x00000000009B0000-0x00000000010F9000-memory.dmp themida behavioral1/memory/1296-130-0x00000000009B0000-0x00000000010F9000-memory.dmp themida -
Processes:
DpEditor.exef1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exeDpEditor.exepid process 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe 1296 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1296 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exeDpEditor.exepid process 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe 1296 DpEditor.exe 1296 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exedescription pid process target process PID 2696 wrote to memory of 1296 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe DpEditor.exe PID 2696 wrote to memory of 1296 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe DpEditor.exe PID 2696 wrote to memory of 1296 2696 f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe"C:\Users\Admin\AppData\Local\Temp\f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b0bfa71857896435455b4384a4904dd2
SHA18336a87ff18d396c1bda1f59d0e5c9cd0c7e996f
SHA256f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a
SHA512a330ef0ae0f2d48bc5a06202bf2b0c1aac672873dc9c6643a5215748a502302c063ef32357279fc65f16c8342e3f5810795475177cdf7e46bae30207da9b15fb
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b0bfa71857896435455b4384a4904dd2
SHA18336a87ff18d396c1bda1f59d0e5c9cd0c7e996f
SHA256f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a
SHA512a330ef0ae0f2d48bc5a06202bf2b0c1aac672873dc9c6643a5215748a502302c063ef32357279fc65f16c8342e3f5810795475177cdf7e46bae30207da9b15fb
-
memory/1296-127-0x00000000009B0000-0x00000000010F9000-memory.dmpFilesize
7.3MB
-
memory/1296-123-0x0000000000000000-mapping.dmp
-
memory/1296-126-0x00000000009B0000-0x00000000010F9000-memory.dmpFilesize
7.3MB
-
memory/1296-128-0x0000000077250000-0x00000000773DE000-memory.dmpFilesize
1.6MB
-
memory/1296-129-0x00000000009B0000-0x00000000010F9000-memory.dmpFilesize
7.3MB
-
memory/1296-130-0x00000000009B0000-0x00000000010F9000-memory.dmpFilesize
7.3MB
-
memory/2696-121-0x00000000013E0000-0x0000000001B29000-memory.dmpFilesize
7.3MB
-
memory/2696-122-0x0000000077250000-0x00000000773DE000-memory.dmpFilesize
1.6MB
-
memory/2696-120-0x00000000013E0000-0x0000000001B29000-memory.dmpFilesize
7.3MB
-
memory/2696-119-0x00000000013E0000-0x0000000001B29000-memory.dmpFilesize
7.3MB
-
memory/2696-118-0x00000000013E0000-0x0000000001B29000-memory.dmpFilesize
7.3MB