Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 17:31
Static task
static1
General
-
Target
1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe
-
Size
5.6MB
-
MD5
db4cebbdab4486e191a77c10bc58ae27
-
SHA1
918a3696511f9da24da0fe022ac9b3190fe87fda
-
SHA256
1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e
-
SHA512
9fa26bad15faae4c656861691f32dae88e2793dd154da1e1fb29c0e55234c4b444a4d3af767e6ec541c5bb050808213c9859eb6779d2adc73db8f769968a4210
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 30 592 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4036 noahic.exe 4012 pikingvp.exe 752 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pikingvp.exeDpEditor.exenoahic.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion noahic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion noahic.exe -
Loads dropped DLL 1 IoCs
Processes:
1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exepid process 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida behavioral1/memory/4036-125-0x0000000000830000-0x0000000000F67000-memory.dmp themida behavioral1/memory/4036-127-0x0000000000830000-0x0000000000F67000-memory.dmp themida behavioral1/memory/4036-128-0x0000000000830000-0x0000000000F67000-memory.dmp themida behavioral1/memory/4012-130-0x0000000000370000-0x0000000000A51000-memory.dmp themida behavioral1/memory/4036-129-0x0000000000830000-0x0000000000F67000-memory.dmp themida behavioral1/memory/4012-131-0x0000000000370000-0x0000000000A51000-memory.dmp themida behavioral1/memory/4012-132-0x0000000000370000-0x0000000000A51000-memory.dmp themida behavioral1/memory/4012-133-0x0000000000370000-0x0000000000A51000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/752-140-0x0000000000290000-0x00000000009C7000-memory.dmp themida behavioral1/memory/752-141-0x0000000000290000-0x00000000009C7000-memory.dmp themida behavioral1/memory/752-142-0x0000000000290000-0x00000000009C7000-memory.dmp themida behavioral1/memory/752-143-0x0000000000290000-0x00000000009C7000-memory.dmp themida -
Processes:
DpEditor.exenoahic.exepikingvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA noahic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pikingvp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4036 noahic.exe 4012 pikingvp.exe 752 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acledit.dll 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pikingvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pikingvp.exe -
Modifies registry class 1 IoCs
Processes:
pikingvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings pikingvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 752 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4036 noahic.exe 4036 noahic.exe 4012 pikingvp.exe 4012 pikingvp.exe 752 DpEditor.exe 752 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exepikingvp.exenoahic.exedescription pid process target process PID 4208 wrote to memory of 4036 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe noahic.exe PID 4208 wrote to memory of 4036 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe noahic.exe PID 4208 wrote to memory of 4036 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe noahic.exe PID 4208 wrote to memory of 4012 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe pikingvp.exe PID 4208 wrote to memory of 4012 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe pikingvp.exe PID 4208 wrote to memory of 4012 4208 1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe pikingvp.exe PID 4012 wrote to memory of 4500 4012 pikingvp.exe WScript.exe PID 4012 wrote to memory of 4500 4012 pikingvp.exe WScript.exe PID 4012 wrote to memory of 4500 4012 pikingvp.exe WScript.exe PID 4036 wrote to memory of 752 4036 noahic.exe DpEditor.exe PID 4036 wrote to memory of 752 4036 noahic.exe DpEditor.exe PID 4036 wrote to memory of 752 4036 noahic.exe DpEditor.exe PID 4012 wrote to memory of 592 4012 pikingvp.exe WScript.exe PID 4012 wrote to memory of 592 4012 pikingvp.exe WScript.exe PID 4012 wrote to memory of 592 4012 pikingvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe"C:\Users\Admin\AppData\Local\Temp\1fa23960d2dce1bbad5ab761d0b65f62d9a71d20d7e180f73b0b374398a6296e.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dtvkvqaashlb.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uniprjejik.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
e8394c9c4bb6ee551bf782060e000d40
SHA1efe27704d909f4a34d30aabedc1248553dff6ef7
SHA25621dc99d0ed0c58d36b0a2b0f7804eff6b53fc5cd83bef29d4898c25fe667ba78
SHA512257805038b5057fa96aced2318c35e5ac75f1e2ae67ea89adea837c0210ad912df24c85bfc325d660b710e08b1a0861d7c356926ddc12f0a5c020f6e1afcea16
-
C:\Users\Admin\AppData\Local\Temp\dtvkvqaashlb.vbsMD5
7447799c018c183fff8e9be5cf24f56c
SHA1a5a07644ab6011af787474f9e613f1192e475b39
SHA256291e2a391dae6d2b7017d2fde7b649ce94f688df754d8605ef5e033a57433831
SHA5128ba7533bc07a8b7f6b8ce8af9ec10320c1f0724509ff5aaf79fe9bd90aac5a26b73e5a90166cac28696e4fbf05d99f0cd58f4ebce6c29e8989c5c7df59824336
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
07310dfb28f4c92c90a4ee204d9fefb7
SHA12902eb08e48b2f8a7972dbc44297cf04812da59b
SHA25638548dbae19167b9959b25826e86a6601b7841654fc99eea3b9b00b475b71f1a
SHA512c2579a3a6e0b1376570e88c99f1a42cbc818409b6dfc617baae72161711803bd294e4ea858e3c1287bb82fef34737fffdc80236d79974c3c2264cabc98ae1dd5
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
07310dfb28f4c92c90a4ee204d9fefb7
SHA12902eb08e48b2f8a7972dbc44297cf04812da59b
SHA25638548dbae19167b9959b25826e86a6601b7841654fc99eea3b9b00b475b71f1a
SHA512c2579a3a6e0b1376570e88c99f1a42cbc818409b6dfc617baae72161711803bd294e4ea858e3c1287bb82fef34737fffdc80236d79974c3c2264cabc98ae1dd5
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
27d4fc0ca88d4568cd9a74acedb3578b
SHA1f042e58659986a01e0af79193b2da22f3de81b71
SHA2566a5dc9742e56754b7040455839afda3e8d9350304ed480deef13c031143cd409
SHA512727204d6783ad5ef872be3cc1bbbe7d555d94ab0b9a4b27dcf4dac2680357a2c30be306b88b8d4858e6275d24b2c1edc9d963b1ffc72f028f8d9e9587ae6387f
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
27d4fc0ca88d4568cd9a74acedb3578b
SHA1f042e58659986a01e0af79193b2da22f3de81b71
SHA2566a5dc9742e56754b7040455839afda3e8d9350304ed480deef13c031143cd409
SHA512727204d6783ad5ef872be3cc1bbbe7d555d94ab0b9a4b27dcf4dac2680357a2c30be306b88b8d4858e6275d24b2c1edc9d963b1ffc72f028f8d9e9587ae6387f
-
C:\Users\Admin\AppData\Local\Temp\uniprjejik.vbsMD5
e16f5142e71ac4c21ae3101bff456edf
SHA1083ce055b0b71cf89eebda00bb3b2144d868bd85
SHA2565b048c787bbf7220faf6e6c0487d377e7da770c38a253e20acbf818dde32d22d
SHA5122270f785d9fa1aeebf80fdf1559160546cba9df644a3530a2663c1bda769e8045327f21b37aa9b7bb131a67cfef56c293629982809515ba447a94ffc5334fae3
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
07310dfb28f4c92c90a4ee204d9fefb7
SHA12902eb08e48b2f8a7972dbc44297cf04812da59b
SHA25638548dbae19167b9959b25826e86a6601b7841654fc99eea3b9b00b475b71f1a
SHA512c2579a3a6e0b1376570e88c99f1a42cbc818409b6dfc617baae72161711803bd294e4ea858e3c1287bb82fef34737fffdc80236d79974c3c2264cabc98ae1dd5
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
07310dfb28f4c92c90a4ee204d9fefb7
SHA12902eb08e48b2f8a7972dbc44297cf04812da59b
SHA25638548dbae19167b9959b25826e86a6601b7841654fc99eea3b9b00b475b71f1a
SHA512c2579a3a6e0b1376570e88c99f1a42cbc818409b6dfc617baae72161711803bd294e4ea858e3c1287bb82fef34737fffdc80236d79974c3c2264cabc98ae1dd5
-
\Users\Admin\AppData\Local\Temp\nsbAE24.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/592-145-0x0000000000000000-mapping.dmp
-
memory/752-141-0x0000000000290000-0x00000000009C7000-memory.dmpFilesize
7.2MB
-
memory/752-140-0x0000000000290000-0x00000000009C7000-memory.dmpFilesize
7.2MB
-
memory/752-142-0x0000000000290000-0x00000000009C7000-memory.dmpFilesize
7.2MB
-
memory/752-143-0x0000000000290000-0x00000000009C7000-memory.dmpFilesize
7.2MB
-
memory/752-144-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/752-137-0x0000000000000000-mapping.dmp
-
memory/4012-132-0x0000000000370000-0x0000000000A51000-memory.dmpFilesize
6.9MB
-
memory/4012-134-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/4012-133-0x0000000000370000-0x0000000000A51000-memory.dmpFilesize
6.9MB
-
memory/4012-131-0x0000000000370000-0x0000000000A51000-memory.dmpFilesize
6.9MB
-
memory/4012-130-0x0000000000370000-0x0000000000A51000-memory.dmpFilesize
6.9MB
-
memory/4012-122-0x0000000000000000-mapping.dmp
-
memory/4036-129-0x0000000000830000-0x0000000000F67000-memory.dmpFilesize
7.2MB
-
memory/4036-128-0x0000000000830000-0x0000000000F67000-memory.dmpFilesize
7.2MB
-
memory/4036-127-0x0000000000830000-0x0000000000F67000-memory.dmpFilesize
7.2MB
-
memory/4036-126-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/4036-125-0x0000000000830000-0x0000000000F67000-memory.dmpFilesize
7.2MB
-
memory/4036-119-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x0000000000000000-mapping.dmp