Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 21:32
Static task
static1
Behavioral task
behavioral1
Sample
af1a95797963e51df6f8348883dd83e1.exe
Resource
win7-en-20211104
General
-
Target
af1a95797963e51df6f8348883dd83e1.exe
-
Size
2.5MB
-
MD5
af1a95797963e51df6f8348883dd83e1
-
SHA1
ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
-
SHA256
0e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
-
SHA512
ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 684 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exepid process 532 af1a95797963e51df6f8348883dd83e1.exe -
Processes:
resource yara_rule behavioral1/memory/532-56-0x0000000000180000-0x0000000000813000-memory.dmp themida behavioral1/memory/532-57-0x0000000000180000-0x0000000000813000-memory.dmp themida behavioral1/memory/532-59-0x0000000000180000-0x0000000000813000-memory.dmp themida behavioral1/memory/532-58-0x0000000000180000-0x0000000000813000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/684-64-0x0000000000B60000-0x00000000011F3000-memory.dmp themida behavioral1/memory/684-65-0x0000000000B60000-0x00000000011F3000-memory.dmp themida behavioral1/memory/684-66-0x0000000000B60000-0x00000000011F3000-memory.dmp themida behavioral1/memory/684-67-0x0000000000B60000-0x00000000011F3000-memory.dmp themida -
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exepid process 532 af1a95797963e51df6f8348883dd83e1.exe 684 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 684 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exepid process 532 af1a95797963e51df6f8348883dd83e1.exe 684 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exedescription pid process target process PID 532 wrote to memory of 684 532 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe PID 532 wrote to memory of 684 532 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe PID 532 wrote to memory of 684 532 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe PID 532 wrote to memory of 684 532 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
memory/532-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/532-56-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-57-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-59-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/532-58-0x0000000000180000-0x0000000000813000-memory.dmpFilesize
6.6MB
-
memory/684-61-0x0000000000000000-mapping.dmp
-
memory/684-64-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-65-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-66-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB
-
memory/684-67-0x0000000000B60000-0x00000000011F3000-memory.dmpFilesize
6.6MB