Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-12-2021 17:37
Static task
static1
Behavioral task
behavioral1
Sample
d19ad5fbe2455393c8b4bf7203754461.exe
Resource
win7-en-20211014
General
-
Target
d19ad5fbe2455393c8b4bf7203754461.exe
-
Size
5.4MB
-
MD5
d19ad5fbe2455393c8b4bf7203754461
-
SHA1
db97f0945094fb160c3f7154d230ed268842a6e8
-
SHA256
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
-
SHA512
43ee8f5e9b15a6736eff2179e46b8b68c7a968a3b12032356c7b98e3bbff8ccd4fcaf9a62ceba3f8fd0e244de635d90044825b5877e842a6a828fd5bedc1b921
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 29 3900 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4052 noahic.exe 3948 pikingvp.exe 752 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
noahic.exepikingvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion noahic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion noahic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
d19ad5fbe2455393c8b4bf7203754461.exepid process 3032 d19ad5fbe2455393c8b4bf7203754461.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe themida behavioral2/memory/4052-126-0x00000000009F0000-0x000000000113C000-memory.dmp themida behavioral2/memory/4052-128-0x00000000009F0000-0x000000000113C000-memory.dmp themida behavioral2/memory/3948-127-0x0000000000A00000-0x000000000106B000-memory.dmp themida behavioral2/memory/3948-129-0x0000000000A00000-0x000000000106B000-memory.dmp themida behavioral2/memory/4052-130-0x00000000009F0000-0x000000000113C000-memory.dmp themida behavioral2/memory/3948-131-0x0000000000A00000-0x000000000106B000-memory.dmp themida behavioral2/memory/3948-133-0x0000000000A00000-0x000000000106B000-memory.dmp themida behavioral2/memory/4052-132-0x00000000009F0000-0x000000000113C000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/752-140-0x00000000000D0000-0x000000000081C000-memory.dmp themida behavioral2/memory/752-141-0x00000000000D0000-0x000000000081C000-memory.dmp themida behavioral2/memory/752-142-0x00000000000D0000-0x000000000081C000-memory.dmp themida behavioral2/memory/752-143-0x00000000000D0000-0x000000000081C000-memory.dmp themida -
Processes:
noahic.exepikingvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA noahic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pikingvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4052 noahic.exe 3948 pikingvp.exe 752 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
d19ad5fbe2455393c8b4bf7203754461.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll d19ad5fbe2455393c8b4bf7203754461.exe File created C:\Program Files (x86)\foler\olader\acledit.dll d19ad5fbe2455393c8b4bf7203754461.exe File created C:\Program Files (x86)\foler\olader\acppage.dll d19ad5fbe2455393c8b4bf7203754461.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pikingvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pikingvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pikingvp.exe -
Modifies registry class 1 IoCs
Processes:
pikingvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings pikingvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 752 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
noahic.exepikingvp.exeDpEditor.exepid process 4052 noahic.exe 4052 noahic.exe 3948 pikingvp.exe 3948 pikingvp.exe 752 DpEditor.exe 752 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d19ad5fbe2455393c8b4bf7203754461.exepikingvp.exenoahic.exedescription pid process target process PID 3032 wrote to memory of 4052 3032 d19ad5fbe2455393c8b4bf7203754461.exe noahic.exe PID 3032 wrote to memory of 4052 3032 d19ad5fbe2455393c8b4bf7203754461.exe noahic.exe PID 3032 wrote to memory of 4052 3032 d19ad5fbe2455393c8b4bf7203754461.exe noahic.exe PID 3032 wrote to memory of 3948 3032 d19ad5fbe2455393c8b4bf7203754461.exe pikingvp.exe PID 3032 wrote to memory of 3948 3032 d19ad5fbe2455393c8b4bf7203754461.exe pikingvp.exe PID 3032 wrote to memory of 3948 3032 d19ad5fbe2455393c8b4bf7203754461.exe pikingvp.exe PID 3948 wrote to memory of 4500 3948 pikingvp.exe WScript.exe PID 3948 wrote to memory of 4500 3948 pikingvp.exe WScript.exe PID 3948 wrote to memory of 4500 3948 pikingvp.exe WScript.exe PID 4052 wrote to memory of 752 4052 noahic.exe DpEditor.exe PID 4052 wrote to memory of 752 4052 noahic.exe DpEditor.exe PID 4052 wrote to memory of 752 4052 noahic.exe DpEditor.exe PID 3948 wrote to memory of 3900 3948 pikingvp.exe WScript.exe PID 3948 wrote to memory of 3900 3948 pikingvp.exe WScript.exe PID 3948 wrote to memory of 3900 3948 pikingvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe"C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nrutgkjag.vbs"3⤵PID:4500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vtopuyn.vbs"3⤵
- Blocklisted process makes network request
PID:3900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
4ce2d390213f5c1b104daaecf40d105e
SHA1bf447faabe486a5e4d3e41d44cad62f5e27a284e
SHA256085067e3a5c6d8dae455ffcb9f01f3868997c577d6605f0dac09243de8ac30d1
SHA5128de06e931e070901debf375c43a4e765817d7f966b9e684248aa73a6cd7bda8c95e58bc972f5d033bfe671a0a71e4d73e6c402def8767c215ce27f97188b14b0
-
C:\Users\Admin\AppData\Local\Temp\nrutgkjag.vbsMD5
7430840fb0424e9cdf2b7f2782e7f7fe
SHA1251f61b5ea970ba33b2380995105ec212fe637e7
SHA25681f49bcda694d07e32d503003de448e9ab3bbdbe90895f004d2cac1c3b7eb00e
SHA5128e927c8dee2f9dca6ca2d67e65dd93732d43e4df902256f9c0406539fdec4dd8ec24cce76fc659887a07aa6d4a1ade3d5167d9c855872c899b6a552f0c5a745a
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
e0fdcfe02625d8a48acd00ce606b0341
SHA1f4899424cf6774bf6fab063313343e760b66bb85
SHA256d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84
SHA512b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b
-
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exeMD5
e0fdcfe02625d8a48acd00ce606b0341
SHA1f4899424cf6774bf6fab063313343e760b66bb85
SHA256d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84
SHA512b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b
-
C:\Users\Admin\AppData\Local\Temp\vtopuyn.vbsMD5
41ff7d36846b7b52df7bc3cbd9028f56
SHA1817b7c166295fcfbe629c147c7a0eed94eec3788
SHA256e67e3be40cd6c933f131a08b3ef9b39d0c1acdbc573a5596c38b3c9cdc8dac4a
SHA512f8ae64958af75697fcee2003d9c834f80d5d4b802d80e1b76f415f641abb4618a235a88ed1fc44aa1399fe352a1598b587d0d9133c1827459bab8216a82d0016
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
bea267e61710103a9c4fb93e293fce83
SHA133aeb83f904c289d3dc1469981ce3739d4357879
SHA256afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3
SHA512c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512
-
\Users\Admin\AppData\Local\Temp\nsu9B77.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/752-141-0x00000000000D0000-0x000000000081C000-memory.dmpFilesize
7.3MB
-
memory/752-142-0x00000000000D0000-0x000000000081C000-memory.dmpFilesize
7.3MB
-
memory/752-140-0x00000000000D0000-0x000000000081C000-memory.dmpFilesize
7.3MB
-
memory/752-143-0x00000000000D0000-0x000000000081C000-memory.dmpFilesize
7.3MB
-
memory/752-144-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/752-137-0x0000000000000000-mapping.dmp
-
memory/3900-145-0x0000000000000000-mapping.dmp
-
memory/3948-133-0x0000000000A00000-0x000000000106B000-memory.dmpFilesize
6.4MB
-
memory/3948-134-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/3948-131-0x0000000000A00000-0x000000000106B000-memory.dmpFilesize
6.4MB
-
memory/3948-129-0x0000000000A00000-0x000000000106B000-memory.dmpFilesize
6.4MB
-
memory/3948-127-0x0000000000A00000-0x000000000106B000-memory.dmpFilesize
6.4MB
-
memory/3948-122-0x0000000000000000-mapping.dmp
-
memory/4052-132-0x00000000009F0000-0x000000000113C000-memory.dmpFilesize
7.3MB
-
memory/4052-130-0x00000000009F0000-0x000000000113C000-memory.dmpFilesize
7.3MB
-
memory/4052-128-0x00000000009F0000-0x000000000113C000-memory.dmpFilesize
7.3MB
-
memory/4052-126-0x00000000009F0000-0x000000000113C000-memory.dmpFilesize
7.3MB
-
memory/4052-125-0x00000000777C0000-0x000000007794E000-memory.dmpFilesize
1.6MB
-
memory/4052-119-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x0000000000000000-mapping.dmp