Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 08:58
Static task
static1
Behavioral task
behavioral1
Sample
9f883f2908f53b5fb73c1be1a271f740.exe
Resource
win7-en-20211208
General
-
Target
9f883f2908f53b5fb73c1be1a271f740.exe
-
Size
2.7MB
-
MD5
9f883f2908f53b5fb73c1be1a271f740
-
SHA1
8c58e0e886a615cee214ae5d861991cb95739026
-
SHA256
32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
-
SHA512
4544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1204 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exe9f883f2908f53b5fb73c1be1a271f740.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9f883f2908f53b5fb73c1be1a271f740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9f883f2908f53b5fb73c1be1a271f740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/2444-115-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral2/memory/2444-116-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral2/memory/2444-117-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral2/memory/2444-119-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1204-124-0x0000000001340000-0x0000000001A3A000-memory.dmp themida behavioral2/memory/1204-125-0x0000000001340000-0x0000000001A3A000-memory.dmp themida behavioral2/memory/1204-126-0x0000000001340000-0x0000000001A3A000-memory.dmp themida behavioral2/memory/1204-127-0x0000000001340000-0x0000000001A3A000-memory.dmp themida -
Processes:
9f883f2908f53b5fb73c1be1a271f740.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9f883f2908f53b5fb73c1be1a271f740.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
9f883f2908f53b5fb73c1be1a271f740.exeDpEditor.exepid process 2444 9f883f2908f53b5fb73c1be1a271f740.exe 1204 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1204 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9f883f2908f53b5fb73c1be1a271f740.exeDpEditor.exepid process 2444 9f883f2908f53b5fb73c1be1a271f740.exe 2444 9f883f2908f53b5fb73c1be1a271f740.exe 1204 DpEditor.exe 1204 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9f883f2908f53b5fb73c1be1a271f740.exedescription pid process target process PID 2444 wrote to memory of 1204 2444 9f883f2908f53b5fb73c1be1a271f740.exe DpEditor.exe PID 2444 wrote to memory of 1204 2444 9f883f2908f53b5fb73c1be1a271f740.exe DpEditor.exe PID 2444 wrote to memory of 1204 2444 9f883f2908f53b5fb73c1be1a271f740.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f883f2908f53b5fb73c1be1a271f740.exe"C:\Users\Admin\AppData\Local\Temp\9f883f2908f53b5fb73c1be1a271f740.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9f883f2908f53b5fb73c1be1a271f740
SHA18c58e0e886a615cee214ae5d861991cb95739026
SHA25632ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
SHA5124544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9f883f2908f53b5fb73c1be1a271f740
SHA18c58e0e886a615cee214ae5d861991cb95739026
SHA25632ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
SHA5124544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
-
memory/1204-123-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/1204-120-0x0000000000000000-mapping.dmp
-
memory/1204-124-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-125-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-126-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-127-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/2444-118-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/2444-119-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-117-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-116-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-115-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB