Analysis
-
max time kernel
110s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07-12-2021 21:32
Static task
static1
Behavioral task
behavioral1
Sample
af1a95797963e51df6f8348883dd83e1.exe
Resource
win7-en-20211104
General
-
Target
af1a95797963e51df6f8348883dd83e1.exe
-
Size
2.5MB
-
MD5
af1a95797963e51df6f8348883dd83e1
-
SHA1
ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
-
SHA256
0e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
-
SHA512
ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 2288 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/3460-118-0x0000000000380000-0x0000000000A13000-memory.dmp themida behavioral2/memory/3460-120-0x0000000000380000-0x0000000000A13000-memory.dmp themida behavioral2/memory/3460-121-0x0000000000380000-0x0000000000A13000-memory.dmp themida behavioral2/memory/3460-122-0x0000000000380000-0x0000000000A13000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/2288-126-0x0000000000A00000-0x0000000001093000-memory.dmp themida behavioral2/memory/2288-127-0x0000000000A00000-0x0000000001093000-memory.dmp themida behavioral2/memory/2288-128-0x0000000000A00000-0x0000000001093000-memory.dmp themida behavioral2/memory/2288-130-0x0000000000A00000-0x0000000001093000-memory.dmp themida -
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA af1a95797963e51df6f8348883dd83e1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exepid process 3460 af1a95797963e51df6f8348883dd83e1.exe 2288 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 2288 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exeDpEditor.exepid process 3460 af1a95797963e51df6f8348883dd83e1.exe 3460 af1a95797963e51df6f8348883dd83e1.exe 2288 DpEditor.exe 2288 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
af1a95797963e51df6f8348883dd83e1.exedescription pid process target process PID 3460 wrote to memory of 2288 3460 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe PID 3460 wrote to memory of 2288 3460 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe PID 3460 wrote to memory of 2288 3460 af1a95797963e51df6f8348883dd83e1.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"C:\Users\Admin\AppData\Local\Temp\af1a95797963e51df6f8348883dd83e1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af1a95797963e51df6f8348883dd83e1
SHA1ad7383cc8576ff1ba2652a755d7dd9b585d44f8a
SHA2560e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
SHA512ff4739579e66bd383872ed82016727c812cfc512f6eb198586030143988c810d42cb25fcaa230671b229d3e71ff02050f0f876d2d55440fb9e5e7d4e08b0e6ad
-
memory/2288-127-0x0000000000A00000-0x0000000001093000-memory.dmpFilesize
6.6MB
-
memory/2288-123-0x0000000000000000-mapping.dmp
-
memory/2288-126-0x0000000000A00000-0x0000000001093000-memory.dmpFilesize
6.6MB
-
memory/2288-128-0x0000000000A00000-0x0000000001093000-memory.dmpFilesize
6.6MB
-
memory/2288-129-0x0000000077D10000-0x0000000077E9E000-memory.dmpFilesize
1.6MB
-
memory/2288-130-0x0000000000A00000-0x0000000001093000-memory.dmpFilesize
6.6MB
-
memory/3460-121-0x0000000000380000-0x0000000000A13000-memory.dmpFilesize
6.6MB
-
memory/3460-122-0x0000000000380000-0x0000000000A13000-memory.dmpFilesize
6.6MB
-
memory/3460-120-0x0000000000380000-0x0000000000A13000-memory.dmpFilesize
6.6MB
-
memory/3460-118-0x0000000000380000-0x0000000000A13000-memory.dmpFilesize
6.6MB
-
memory/3460-119-0x0000000077D10000-0x0000000077E9E000-memory.dmpFilesize
1.6MB