7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c

Analysis

max time kernel
123s
max time network
129s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-12-2021 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d19ad5fbe2455393c8b4bf7203754461.exe
Size

5.4MB
MD5

d19ad5fbe2455393c8b4bf7203754461
SHA1

db97f0945094fb160c3f7154d230ed268842a6e8
SHA256

7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
SHA512

43ee8f5e9b15a6736eff2179e46b8b68c7a968a3b12032356c7b98e3bbff8ccd4fcaf9a62ceba3f8fd0e244de635d90044825b5877e842a6a828fd5bedc1b921

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

29 3900 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

noahic.exepikingvp.exeDpEditor.exe

pid process

4052 noahic.exe
3948 pikingvp.exe
752 DpEditor.exe

flow	pid	process
29	3900	WScript.exe

pid	process
4052	noahic.exe
3948	pikingvp.exe
752	DpEditor.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

noahic.exepikingvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	noahic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	noahic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Loads dropped DLL 1 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exe

pid process

3032 d19ad5fbe2455393c8b4bf7203754461.exe

pid	process
3032	d19ad5fbe2455393c8b4bf7203754461.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe	themida
behavioral2/memory/4052-126-0x00000000009F0000-0x000000000113C000-memory.dmp	themida
behavioral2/memory/4052-128-0x00000000009F0000-0x000000000113C000-memory.dmp	themida
behavioral2/memory/3948-127-0x0000000000A00000-0x000000000106B000-memory.dmp	themida
behavioral2/memory/3948-129-0x0000000000A00000-0x000000000106B000-memory.dmp	themida
behavioral2/memory/4052-130-0x00000000009F0000-0x000000000113C000-memory.dmp	themida
behavioral2/memory/3948-131-0x0000000000A00000-0x000000000106B000-memory.dmp	themida
behavioral2/memory/3948-133-0x0000000000A00000-0x000000000106B000-memory.dmp	themida
behavioral2/memory/4052-132-0x00000000009F0000-0x000000000113C000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/752-140-0x00000000000D0000-0x000000000081C000-memory.dmp	themida
behavioral2/memory/752-141-0x00000000000D0000-0x000000000081C000-memory.dmp	themida
behavioral2/memory/752-142-0x00000000000D0000-0x000000000081C000-memory.dmp	themida
behavioral2/memory/752-143-0x00000000000D0000-0x000000000081C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

noahic.exepikingvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	noahic.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

noahic.exepikingvp.exeDpEditor.exe

pid process

4052 noahic.exe
3948 pikingvp.exe
752 DpEditor.exe

flow	ioc
10	ip-api.com

pid	process
4052	noahic.exe
3948	pikingvp.exe
752	DpEditor.exe

Drops file in Program Files directory 3 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	d19ad5fbe2455393c8b4bf7203754461.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	d19ad5fbe2455393c8b4bf7203754461.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	d19ad5fbe2455393c8b4bf7203754461.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pikingvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pikingvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pikingvp.exe

Modifies registry class 1 IoCs

Processes:

pikingvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings pikingvp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

752 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

noahic.exepikingvp.exeDpEditor.exe

pid process

4052 noahic.exe
4052 noahic.exe
3948 pikingvp.exe
3948 pikingvp.exe
752 DpEditor.exe
752 DpEditor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	pikingvp.exe

pid	process
752	DpEditor.exe

pid	process
4052	noahic.exe
4052	noahic.exe
3948	pikingvp.exe
3948	pikingvp.exe
752	DpEditor.exe
752	DpEditor.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d19ad5fbe2455393c8b4bf7203754461.exepikingvp.exenoahic.exe

description	pid	process	target process
PID 3032 wrote to memory of 4052	3032	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 3032 wrote to memory of 4052	3032	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 3032 wrote to memory of 4052	3032	d19ad5fbe2455393c8b4bf7203754461.exe	noahic.exe
PID 3032 wrote to memory of 3948	3032	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 3032 wrote to memory of 3948	3032	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 3032 wrote to memory of 3948	3032	d19ad5fbe2455393c8b4bf7203754461.exe	pikingvp.exe
PID 3948 wrote to memory of 4500	3948	pikingvp.exe	WScript.exe
PID 3948 wrote to memory of 4500	3948	pikingvp.exe	WScript.exe
PID 3948 wrote to memory of 4500	3948	pikingvp.exe	WScript.exe
PID 4052 wrote to memory of 752	4052	noahic.exe	DpEditor.exe
PID 4052 wrote to memory of 752	4052	noahic.exe	DpEditor.exe
PID 4052 wrote to memory of 752	4052	noahic.exe	DpEditor.exe
PID 3948 wrote to memory of 3900	3948	pikingvp.exe	WScript.exe
PID 3948 wrote to memory of 3900	3948	pikingvp.exe	WScript.exe
PID 3948 wrote to memory of 3900	3948	pikingvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe
"C:\Users\Admin\AppData\Local\Temp\d19ad5fbe2455393c8b4bf7203754461.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
"C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
"C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nrutgkjag.vbs"
3⤵
PID:4500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vtopuyn.vbs"
3⤵
- Blocklisted process makes network request
PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
4ce2d390213f5c1b104daaecf40d105e

SHA1
bf447faabe486a5e4d3e41d44cad62f5e27a284e

SHA256
085067e3a5c6d8dae455ffcb9f01f3868997c577d6605f0dac09243de8ac30d1

SHA512
8de06e931e070901debf375c43a4e765817d7f966b9e684248aa73a6cd7bda8c95e58bc972f5d033bfe671a0a71e4d73e6c402def8767c215ce27f97188b14b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrutgkjag.vbs
MD5
7430840fb0424e9cdf2b7f2782e7f7fe

SHA1
251f61b5ea970ba33b2380995105ec212fe637e7

SHA256
81f49bcda694d07e32d503003de448e9ab3bbdbe90895f004d2cac1c3b7eb00e

SHA512
8e927c8dee2f9dca6ca2d67e65dd93732d43e4df902256f9c0406539fdec4dd8ec24cce76fc659887a07aa6d4a1ade3d5167d9c855872c899b6a552f0c5a745a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\noahic.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rheumy\pikingvp.exe
MD5
e0fdcfe02625d8a48acd00ce606b0341

SHA1
f4899424cf6774bf6fab063313343e760b66bb85

SHA256
d0d82aa1c76ee04abc3e80afd330ab7b68f74f45fd658b3f0813fca153d8bf84

SHA512
b6f3a8b2b9fbc50163c2a6224958aecafe72349a71942c7031aa2be65c8d4de2c3cdfabac88a4981047690ae71af0e2e9f111e7fbca0e26f9e488054168ec33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtopuyn.vbs
MD5
41ff7d36846b7b52df7bc3cbd9028f56

SHA1
817b7c166295fcfbe629c147c7a0eed94eec3788

SHA256
e67e3be40cd6c933f131a08b3ef9b39d0c1acdbc573a5596c38b3c9cdc8dac4a

SHA512
f8ae64958af75697fcee2003d9c834f80d5d4b802d80e1b76f415f641abb4618a235a88ed1fc44aa1399fe352a1598b587d0d9133c1827459bab8216a82d0016

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
bea267e61710103a9c4fb93e293fce83

SHA1
33aeb83f904c289d3dc1469981ce3739d4357879

SHA256
afbe8f04f6dfc3b33aeb9fb669d0abd43770ccd7f71cc70f74bb99935bd46ba3

SHA512
c8cfc57b8bae2ac59edc395cb3f2c96ddfaaf2424ee6e2891f62a5e03535adcff628c70d49c41ef0693dae4e55f9fabe41d1b0b39453c51189dbdc4b94346512

Download Submit
\Users\Admin\AppData\Local\Temp\nsu9B77.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/752-141-0x00000000000D0000-0x000000000081C000-memory.dmp

Filesize
7.3MB

Download
memory/752-142-0x00000000000D0000-0x000000000081C000-memory.dmp

Filesize
7.3MB

Download
memory/752-140-0x00000000000D0000-0x000000000081C000-memory.dmp

Filesize
7.3MB

Download
memory/752-143-0x00000000000D0000-0x000000000081C000-memory.dmp

Filesize
7.3MB

Download
memory/752-144-0x00000000777C0000-0x000000007794E000-memory.dmp

Filesize
1.6MB

Download
memory/752-137-0x0000000000000000-mapping.dmp

Download
memory/3900-145-0x0000000000000000-mapping.dmp

Download
memory/3948-133-0x0000000000A00000-0x000000000106B000-memory.dmp

Filesize
6.4MB

Download
memory/3948-134-0x00000000777C0000-0x000000007794E000-memory.dmp

Filesize
1.6MB

Download
memory/3948-131-0x0000000000A00000-0x000000000106B000-memory.dmp

Filesize
6.4MB

Download
memory/3948-129-0x0000000000A00000-0x000000000106B000-memory.dmp

Filesize
6.4MB

Download
memory/3948-127-0x0000000000A00000-0x000000000106B000-memory.dmp

Filesize
6.4MB

Download
memory/3948-122-0x0000000000000000-mapping.dmp

Download
memory/4052-132-0x00000000009F0000-0x000000000113C000-memory.dmp

Filesize
7.3MB

Download
memory/4052-130-0x00000000009F0000-0x000000000113C000-memory.dmp

Filesize
7.3MB

Download
memory/4052-128-0x00000000009F0000-0x000000000113C000-memory.dmp

Filesize
7.3MB

Download
memory/4052-126-0x00000000009F0000-0x000000000113C000-memory.dmp

Filesize
7.3MB

Download
memory/4052-125-0x00000000777C0000-0x000000007794E000-memory.dmp

Filesize
1.6MB

Download
memory/4052-119-0x0000000000000000-mapping.dmp

Download
memory/4500-135-0x0000000000000000-mapping.dmp

Download