Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18-12-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
792cef7a7b7a68ccd4348e7b17aae3a7.exe
Resource
win7-en-20211208
General
-
Target
792cef7a7b7a68ccd4348e7b17aae3a7.exe
-
Size
2.7MB
-
MD5
792cef7a7b7a68ccd4348e7b17aae3a7
-
SHA1
9b90b4f292488b4b8df943f4937d4158f2c3d392
-
SHA256
4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
-
SHA512
b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1916 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exepid process 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe -
Processes:
resource yara_rule behavioral1/memory/740-55-0x0000000000D60000-0x0000000001450000-memory.dmp themida behavioral1/memory/740-56-0x0000000000D60000-0x0000000001450000-memory.dmp themida behavioral1/memory/740-57-0x0000000000D60000-0x0000000001450000-memory.dmp themida behavioral1/memory/740-58-0x0000000000D60000-0x0000000001450000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1916-63-0x0000000000D20000-0x0000000001410000-memory.dmp themida behavioral1/memory/1916-64-0x0000000000D20000-0x0000000001410000-memory.dmp themida behavioral1/memory/1916-65-0x0000000000D20000-0x0000000001410000-memory.dmp themida behavioral1/memory/1916-66-0x0000000000D20000-0x0000000001410000-memory.dmp themida -
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exepid process 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe 1916 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1916 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exepid process 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe 1916 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exedescription pid process target process PID 740 wrote to memory of 1916 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe PID 740 wrote to memory of 1916 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe PID 740 wrote to memory of 1916 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe PID 740 wrote to memory of 1916 740 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe"C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/740-55-0x0000000000D60000-0x0000000001450000-memory.dmpFilesize
6.9MB
-
memory/740-56-0x0000000000D60000-0x0000000001450000-memory.dmpFilesize
6.9MB
-
memory/740-57-0x0000000000D60000-0x0000000001450000-memory.dmpFilesize
6.9MB
-
memory/740-58-0x0000000000D60000-0x0000000001450000-memory.dmpFilesize
6.9MB
-
memory/1916-60-0x0000000000000000-mapping.dmp
-
memory/1916-63-0x0000000000D20000-0x0000000001410000-memory.dmpFilesize
6.9MB
-
memory/1916-64-0x0000000000D20000-0x0000000001410000-memory.dmpFilesize
6.9MB
-
memory/1916-65-0x0000000000D20000-0x0000000001410000-memory.dmpFilesize
6.9MB
-
memory/1916-66-0x0000000000D20000-0x0000000001410000-memory.dmpFilesize
6.9MB