Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 21:32
General
-
Target
af1a95797963e51df6f8348883dd83e1.exe
-
Size
2.5MB
-
MD5
af1a95797963e51df6f8348883dd83e1
-
SHA1
ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
-
SHA256
0e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
-
SHA512
ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
memory/532-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/532-56-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-57-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-59-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-58-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/684-61-0x0000000000000000-mapping.dmp
-
memory/684-64-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-65-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-66-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-67-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB