Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-12-2021 15:38
Static task
static1
Behavioral task
behavioral1
Sample
47278765c8eb8758d13014ef6171f9e6.exe
Resource
win7-en-20211208
General
-
Target
47278765c8eb8758d13014ef6171f9e6.exe
-
Size
2.6MB
-
MD5
47278765c8eb8758d13014ef6171f9e6
-
SHA1
6b99a2281579c632667a40c11c8c4a054c66fab3
-
SHA256
af350797dd1ba1459256609ef7a6971149602a3ea7cde8f05ff65010963b98b0
-
SHA512
dbc1db103e20f0f264e48ca02222fdb0c4fd1d2c805c28feba71ccbad909e20a9b288dd59e799f2db28d5b4ff955f5e2356aee203e66fc9ca1bdc74258ffe8a3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1156 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
47278765c8eb8758d13014ef6171f9e6.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 47278765c8eb8758d13014ef6171f9e6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 47278765c8eb8758d13014ef6171f9e6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/2860-115-0x0000000000DD0000-0x00000000014B2000-memory.dmp themida behavioral2/memory/2860-116-0x0000000000DD0000-0x00000000014B2000-memory.dmp themida behavioral2/memory/2860-118-0x0000000000DD0000-0x00000000014B2000-memory.dmp themida behavioral2/memory/2860-119-0x0000000000DD0000-0x00000000014B2000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1156-123-0x0000000000F10000-0x00000000015F2000-memory.dmp themida behavioral2/memory/1156-124-0x0000000000F10000-0x00000000015F2000-memory.dmp themida behavioral2/memory/1156-125-0x0000000000F10000-0x00000000015F2000-memory.dmp themida behavioral2/memory/1156-127-0x0000000000F10000-0x00000000015F2000-memory.dmp themida -
Processes:
47278765c8eb8758d13014ef6171f9e6.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 47278765c8eb8758d13014ef6171f9e6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
47278765c8eb8758d13014ef6171f9e6.exeDpEditor.exepid process 2860 47278765c8eb8758d13014ef6171f9e6.exe 1156 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1156 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
47278765c8eb8758d13014ef6171f9e6.exeDpEditor.exepid process 2860 47278765c8eb8758d13014ef6171f9e6.exe 2860 47278765c8eb8758d13014ef6171f9e6.exe 1156 DpEditor.exe 1156 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
47278765c8eb8758d13014ef6171f9e6.exedescription pid process target process PID 2860 wrote to memory of 1156 2860 47278765c8eb8758d13014ef6171f9e6.exe DpEditor.exe PID 2860 wrote to memory of 1156 2860 47278765c8eb8758d13014ef6171f9e6.exe DpEditor.exe PID 2860 wrote to memory of 1156 2860 47278765c8eb8758d13014ef6171f9e6.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47278765c8eb8758d13014ef6171f9e6.exe"C:\Users\Admin\AppData\Local\Temp\47278765c8eb8758d13014ef6171f9e6.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
47278765c8eb8758d13014ef6171f9e6
SHA16b99a2281579c632667a40c11c8c4a054c66fab3
SHA256af350797dd1ba1459256609ef7a6971149602a3ea7cde8f05ff65010963b98b0
SHA512dbc1db103e20f0f264e48ca02222fdb0c4fd1d2c805c28feba71ccbad909e20a9b288dd59e799f2db28d5b4ff955f5e2356aee203e66fc9ca1bdc74258ffe8a3
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
47278765c8eb8758d13014ef6171f9e6
SHA16b99a2281579c632667a40c11c8c4a054c66fab3
SHA256af350797dd1ba1459256609ef7a6971149602a3ea7cde8f05ff65010963b98b0
SHA512dbc1db103e20f0f264e48ca02222fdb0c4fd1d2c805c28feba71ccbad909e20a9b288dd59e799f2db28d5b4ff955f5e2356aee203e66fc9ca1bdc74258ffe8a3
-
memory/1156-124-0x0000000000F10000-0x00000000015F2000-memory.dmpFilesize
6.9MB
-
memory/1156-120-0x0000000000000000-mapping.dmp
-
memory/1156-123-0x0000000000F10000-0x00000000015F2000-memory.dmpFilesize
6.9MB
-
memory/1156-126-0x0000000076F90000-0x000000007711E000-memory.dmpFilesize
1.6MB
-
memory/1156-125-0x0000000000F10000-0x00000000015F2000-memory.dmpFilesize
6.9MB
-
memory/1156-127-0x0000000000F10000-0x00000000015F2000-memory.dmpFilesize
6.9MB
-
memory/2860-118-0x0000000000DD0000-0x00000000014B2000-memory.dmpFilesize
6.9MB
-
memory/2860-119-0x0000000000DD0000-0x00000000014B2000-memory.dmpFilesize
6.9MB
-
memory/2860-117-0x0000000076F90000-0x000000007711E000-memory.dmpFilesize
1.6MB
-
memory/2860-116-0x0000000000DD0000-0x00000000014B2000-memory.dmpFilesize
6.9MB
-
memory/2860-115-0x0000000000DD0000-0x00000000014B2000-memory.dmpFilesize
6.9MB