Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18-12-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
792cef7a7b7a68ccd4348e7b17aae3a7.exe
Resource
win7-en-20211208
General
-
Target
792cef7a7b7a68ccd4348e7b17aae3a7.exe
-
Size
2.7MB
-
MD5
792cef7a7b7a68ccd4348e7b17aae3a7
-
SHA1
9b90b4f292488b4b8df943f4937d4158f2c3d392
-
SHA256
4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
-
SHA512
b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 2208 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/2608-115-0x0000000000EC0000-0x00000000015B0000-memory.dmp themida behavioral2/memory/2608-116-0x0000000000EC0000-0x00000000015B0000-memory.dmp themida behavioral2/memory/2608-118-0x0000000000EC0000-0x00000000015B0000-memory.dmp themida behavioral2/memory/2608-119-0x0000000000EC0000-0x00000000015B0000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/2208-123-0x0000000000180000-0x0000000000870000-memory.dmp themida behavioral2/memory/2208-124-0x0000000000180000-0x0000000000870000-memory.dmp themida behavioral2/memory/2208-126-0x0000000000180000-0x0000000000870000-memory.dmp themida behavioral2/memory/2208-127-0x0000000000180000-0x0000000000870000-memory.dmp themida -
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 792cef7a7b7a68ccd4348e7b17aae3a7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exepid process 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe 2208 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 2208 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exepid process 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe 2208 DpEditor.exe 2208 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
792cef7a7b7a68ccd4348e7b17aae3a7.exedescription pid process target process PID 2608 wrote to memory of 2208 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe PID 2608 wrote to memory of 2208 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe PID 2608 wrote to memory of 2208 2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe"C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
792cef7a7b7a68ccd4348e7b17aae3a7
SHA19b90b4f292488b4b8df943f4937d4158f2c3d392
SHA2564d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620
-
memory/2208-124-0x0000000000180000-0x0000000000870000-memory.dmpFilesize
6.9MB
-
memory/2208-120-0x0000000000000000-mapping.dmp
-
memory/2208-123-0x0000000000180000-0x0000000000870000-memory.dmpFilesize
6.9MB
-
memory/2208-125-0x00000000771F0000-0x000000007737E000-memory.dmpFilesize
1.6MB
-
memory/2208-126-0x0000000000180000-0x0000000000870000-memory.dmpFilesize
6.9MB
-
memory/2208-127-0x0000000000180000-0x0000000000870000-memory.dmpFilesize
6.9MB
-
memory/2608-118-0x0000000000EC0000-0x00000000015B0000-memory.dmpFilesize
6.9MB
-
memory/2608-119-0x0000000000EC0000-0x00000000015B0000-memory.dmpFilesize
6.9MB
-
memory/2608-117-0x00000000771F0000-0x000000007737E000-memory.dmpFilesize
1.6MB
-
memory/2608-116-0x0000000000EC0000-0x00000000015B0000-memory.dmpFilesize
6.9MB
-
memory/2608-115-0x0000000000EC0000-0x00000000015B0000-memory.dmpFilesize
6.9MB