Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18-12-2021 21:40
Static task
static1
Behavioral task
behavioral1
Sample
b56b7a27fd509d39ce2185e0f7c94bca.exe
Resource
win7-en-20211208
General
-
Target
b56b7a27fd509d39ce2185e0f7c94bca.exe
-
Size
2.7MB
-
MD5
b56b7a27fd509d39ce2185e0f7c94bca
-
SHA1
af0d4a3a03fed4ab66c756fbe32099136e0c5577
-
SHA256
4f4368e357e407f79326cb4e2f46ee8c264b5fd1b8647ff46a453fae39631f53
-
SHA512
c0895ee55e0b8b1d00a682608780369f0bc5ae9e7731b055091a7dcd6d94f126803be42a1c1ce9fa87cfec7fff63f90892b69471cba6f0ae5b2f7dad34bbe1b5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 656 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b56b7a27fd509d39ce2185e0f7c94bca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b56b7a27fd509d39ce2185e0f7c94bca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exepid process 844 b56b7a27fd509d39ce2185e0f7c94bca.exe -
Processes:
resource yara_rule behavioral1/memory/844-54-0x0000000000340000-0x0000000000A2D000-memory.dmp themida behavioral1/memory/844-55-0x0000000000340000-0x0000000000A2D000-memory.dmp themida behavioral1/memory/844-56-0x0000000000340000-0x0000000000A2D000-memory.dmp themida behavioral1/memory/844-57-0x0000000000340000-0x0000000000A2D000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/656-62-0x0000000000250000-0x000000000093D000-memory.dmp themida behavioral1/memory/656-63-0x0000000000250000-0x000000000093D000-memory.dmp themida behavioral1/memory/656-64-0x0000000000250000-0x000000000093D000-memory.dmp themida behavioral1/memory/656-65-0x0000000000250000-0x000000000093D000-memory.dmp themida -
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b56b7a27fd509d39ce2185e0f7c94bca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exeDpEditor.exepid process 844 b56b7a27fd509d39ce2185e0f7c94bca.exe 656 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 656 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exeDpEditor.exepid process 844 b56b7a27fd509d39ce2185e0f7c94bca.exe 656 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b56b7a27fd509d39ce2185e0f7c94bca.exedescription pid process target process PID 844 wrote to memory of 656 844 b56b7a27fd509d39ce2185e0f7c94bca.exe DpEditor.exe PID 844 wrote to memory of 656 844 b56b7a27fd509d39ce2185e0f7c94bca.exe DpEditor.exe PID 844 wrote to memory of 656 844 b56b7a27fd509d39ce2185e0f7c94bca.exe DpEditor.exe PID 844 wrote to memory of 656 844 b56b7a27fd509d39ce2185e0f7c94bca.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b56b7a27fd509d39ce2185e0f7c94bca.exe"C:\Users\Admin\AppData\Local\Temp\b56b7a27fd509d39ce2185e0f7c94bca.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b56b7a27fd509d39ce2185e0f7c94bca
SHA1af0d4a3a03fed4ab66c756fbe32099136e0c5577
SHA2564f4368e357e407f79326cb4e2f46ee8c264b5fd1b8647ff46a453fae39631f53
SHA512c0895ee55e0b8b1d00a682608780369f0bc5ae9e7731b055091a7dcd6d94f126803be42a1c1ce9fa87cfec7fff63f90892b69471cba6f0ae5b2f7dad34bbe1b5
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b56b7a27fd509d39ce2185e0f7c94bca
SHA1af0d4a3a03fed4ab66c756fbe32099136e0c5577
SHA2564f4368e357e407f79326cb4e2f46ee8c264b5fd1b8647ff46a453fae39631f53
SHA512c0895ee55e0b8b1d00a682608780369f0bc5ae9e7731b055091a7dcd6d94f126803be42a1c1ce9fa87cfec7fff63f90892b69471cba6f0ae5b2f7dad34bbe1b5
-
memory/656-59-0x0000000000000000-mapping.dmp
-
memory/656-62-0x0000000000250000-0x000000000093D000-memory.dmpFilesize
6.9MB
-
memory/656-63-0x0000000000250000-0x000000000093D000-memory.dmpFilesize
6.9MB
-
memory/656-64-0x0000000000250000-0x000000000093D000-memory.dmpFilesize
6.9MB
-
memory/656-65-0x0000000000250000-0x000000000093D000-memory.dmpFilesize
6.9MB
-
memory/844-53-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/844-54-0x0000000000340000-0x0000000000A2D000-memory.dmpFilesize
6.9MB
-
memory/844-55-0x0000000000340000-0x0000000000A2D000-memory.dmpFilesize
6.9MB
-
memory/844-56-0x0000000000340000-0x0000000000A2D000-memory.dmpFilesize
6.9MB
-
memory/844-57-0x0000000000340000-0x0000000000A2D000-memory.dmpFilesize
6.9MB