Analysis
-
max time kernel
121s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 15:39
Static task
static1
Behavioral task
behavioral1
Sample
5096680c111700a7343cac14d166ce90.exe
Resource
win7-en-20211208
General
-
Target
5096680c111700a7343cac14d166ce90.exe
-
Size
5.4MB
-
MD5
5096680c111700a7343cac14d166ce90
-
SHA1
8277b38de8b62abbd9c1722c1a512741622e928c
-
SHA256
02b1c52fbed352a5a52090d0ee09b1e39a15f2218186a94b97e5ca1ef3de73c2
-
SHA512
2c37d448de62be7b9b616b29c0633cc1af4ff083e8213df6efe090a761ae39d17fa670a2fb700c149c02fa61b4cda20d661f45bc3cc10e82dcdc990f909e8d50
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 35 612 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
sacque.exetilmusvp.exeDpEditor.exepid process 2676 sacque.exe 3548 tilmusvp.exe 700 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
sacque.exetilmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sacque.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sacque.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
5096680c111700a7343cac14d166ce90.exepid process 2584 5096680c111700a7343cac14d166ce90.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe themida C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe themida behavioral2/memory/2676-122-0x0000000000D30000-0x0000000001425000-memory.dmp themida behavioral2/memory/3548-123-0x0000000000D90000-0x0000000001458000-memory.dmp themida behavioral2/memory/2676-124-0x0000000000D30000-0x0000000001425000-memory.dmp themida behavioral2/memory/3548-125-0x0000000000D90000-0x0000000001458000-memory.dmp themida behavioral2/memory/3548-127-0x0000000000D90000-0x0000000001458000-memory.dmp themida behavioral2/memory/2676-126-0x0000000000D30000-0x0000000001425000-memory.dmp themida behavioral2/memory/3548-129-0x0000000000D90000-0x0000000001458000-memory.dmp themida behavioral2/memory/2676-128-0x0000000000D30000-0x0000000001425000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/700-135-0x00000000012F0000-0x00000000019E5000-memory.dmp themida behavioral2/memory/700-136-0x00000000012F0000-0x00000000019E5000-memory.dmp themida behavioral2/memory/700-137-0x00000000012F0000-0x00000000019E5000-memory.dmp themida behavioral2/memory/700-138-0x00000000012F0000-0x00000000019E5000-memory.dmp themida -
Processes:
tilmusvp.exesacque.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tilmusvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sacque.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
sacque.exetilmusvp.exeDpEditor.exepid process 2676 sacque.exe 3548 tilmusvp.exe 700 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
5096680c111700a7343cac14d166ce90.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 5096680c111700a7343cac14d166ce90.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 5096680c111700a7343cac14d166ce90.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 5096680c111700a7343cac14d166ce90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tilmusvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tilmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tilmusvp.exe -
Modifies registry class 1 IoCs
Processes:
tilmusvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings tilmusvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 700 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
sacque.exetilmusvp.exeDpEditor.exepid process 2676 sacque.exe 2676 sacque.exe 3548 tilmusvp.exe 3548 tilmusvp.exe 700 DpEditor.exe 700 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5096680c111700a7343cac14d166ce90.exesacque.exetilmusvp.exedescription pid process target process PID 2584 wrote to memory of 2676 2584 5096680c111700a7343cac14d166ce90.exe sacque.exe PID 2584 wrote to memory of 2676 2584 5096680c111700a7343cac14d166ce90.exe sacque.exe PID 2584 wrote to memory of 2676 2584 5096680c111700a7343cac14d166ce90.exe sacque.exe PID 2584 wrote to memory of 3548 2584 5096680c111700a7343cac14d166ce90.exe tilmusvp.exe PID 2584 wrote to memory of 3548 2584 5096680c111700a7343cac14d166ce90.exe tilmusvp.exe PID 2584 wrote to memory of 3548 2584 5096680c111700a7343cac14d166ce90.exe tilmusvp.exe PID 2676 wrote to memory of 700 2676 sacque.exe DpEditor.exe PID 2676 wrote to memory of 700 2676 sacque.exe DpEditor.exe PID 2676 wrote to memory of 700 2676 sacque.exe DpEditor.exe PID 3548 wrote to memory of 2752 3548 tilmusvp.exe WScript.exe PID 3548 wrote to memory of 2752 3548 tilmusvp.exe WScript.exe PID 3548 wrote to memory of 2752 3548 tilmusvp.exe WScript.exe PID 3548 wrote to memory of 612 3548 tilmusvp.exe WScript.exe PID 3548 wrote to memory of 612 3548 tilmusvp.exe WScript.exe PID 3548 wrote to memory of 612 3548 tilmusvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5096680c111700a7343cac14d166ce90.exe"C:\Users\Admin\AppData\Local\Temp\5096680c111700a7343cac14d166ce90.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe"C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe"C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wuupafvaydb.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aukiplqv.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
2b99f94d27a0eb96679d846fd7495d1a
SHA1ab66191956b6624fc063a4350e9e6aae9670f2a1
SHA256f3e56c705ed3fa82f51b7ca58f19eb20389b8acab7b532b5ba2b36d921e83883
SHA512141ed26f9a4a6b23d831332a33b517430eae41c9dfc606f5cc4122ca3939a093b5a2dcb48fd906e0456306e35db5daa447028e18d203156e3a8ba8a624e321c0
-
C:\Users\Admin\AppData\Local\Temp\aukiplqv.vbsMD5
82c8b38f4979e618f15cd47ad98606d9
SHA1077786bf3b4b46266471a95845d65a2ae87a7d7b
SHA25610cc5f98eaec3c2ef31d36536c7c5b0eb660c2e55ab25f327215b45d5178315d
SHA512ff12699cdb8c48423e9b288520e2cfeab4804cb3c91feb44075d13cff03ec56539f3d7e2cb2d030d58feee3f3c0bc7bb4af9c3766ea03329a3f52f6e8b42e5cb
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Local\Temp\tongan\sacque.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exeMD5
355a4152b826bac3bb7ff5ffd95ec7ed
SHA1f49b68263295852e2c2aa08fb475b6f999545289
SHA25668502d30f4d6ede5a62c4306ebc796bd1f9e7f1ae34eac34b9f21d78d200cb8c
SHA512c73c45ef0a8052160c4f1a62e4b2a500a410ae33ca277ed40d49c38bd6cbabc0b20c74acc116308790038648e070d95768e5a50f60a2eb73891afbb49d7d40ba
-
C:\Users\Admin\AppData\Local\Temp\tongan\tilmusvp.exeMD5
355a4152b826bac3bb7ff5ffd95ec7ed
SHA1f49b68263295852e2c2aa08fb475b6f999545289
SHA25668502d30f4d6ede5a62c4306ebc796bd1f9e7f1ae34eac34b9f21d78d200cb8c
SHA512c73c45ef0a8052160c4f1a62e4b2a500a410ae33ca277ed40d49c38bd6cbabc0b20c74acc116308790038648e070d95768e5a50f60a2eb73891afbb49d7d40ba
-
C:\Users\Admin\AppData\Local\Temp\wuupafvaydb.vbsMD5
3514425222dbe1dac75d0a594fe81386
SHA162cbeb661e1c4c074ed30a3bfef8e566e534401d
SHA256327657e5f36f40f6074d947ab16fae53523d278ec47527919d654a2f93843317
SHA512203a2827f710c7918c5aca312a37be477640e785fd5279474ea0e550383b01d8b52f9d68637ff31d9f6ea2e10d12d4304404cf966aefa6d7896d81dae8af392b
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6aee0a1a73ed85b554aed2cbfc722e0c
SHA109a1571a20ad5712731d5f39ab62d5dd91bbc651
SHA256a27fb1f7596e8c2d97aec81b107f7d65790b0e6a43c7da63832620ca2d8f3926
SHA5126511e5c280b7000f100d2640a26edb6315ec41634066713782423c149c2abd9afd4074fd2eaa1622b4b7e10ddf596d14a69c79168cec70cac0549a648fa06c2c
-
\Users\Admin\AppData\Local\Temp\nsjC1EA.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/612-142-0x0000000000000000-mapping.dmp
-
memory/700-138-0x00000000012F0000-0x00000000019E5000-memory.dmpFilesize
7.0MB
-
memory/700-137-0x00000000012F0000-0x00000000019E5000-memory.dmpFilesize
7.0MB
-
memory/700-136-0x00000000012F0000-0x00000000019E5000-memory.dmpFilesize
7.0MB
-
memory/700-135-0x00000000012F0000-0x00000000019E5000-memory.dmpFilesize
7.0MB
-
memory/700-139-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/700-132-0x0000000000000000-mapping.dmp
-
memory/2676-122-0x0000000000D30000-0x0000000001425000-memory.dmpFilesize
7.0MB
-
memory/2676-128-0x0000000000D30000-0x0000000001425000-memory.dmpFilesize
7.0MB
-
memory/2676-131-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2676-126-0x0000000000D30000-0x0000000001425000-memory.dmpFilesize
7.0MB
-
memory/2676-124-0x0000000000D30000-0x0000000001425000-memory.dmpFilesize
7.0MB
-
memory/2676-116-0x0000000000000000-mapping.dmp
-
memory/2752-140-0x0000000000000000-mapping.dmp
-
memory/3548-130-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/3548-129-0x0000000000D90000-0x0000000001458000-memory.dmpFilesize
6.8MB
-
memory/3548-127-0x0000000000D90000-0x0000000001458000-memory.dmpFilesize
6.8MB
-
memory/3548-125-0x0000000000D90000-0x0000000001458000-memory.dmpFilesize
6.8MB
-
memory/3548-123-0x0000000000D90000-0x0000000001458000-memory.dmpFilesize
6.8MB
-
memory/3548-119-0x0000000000000000-mapping.dmp