Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 08:58
General
-
Target
9f883f2908f53b5fb73c1be1a271f740.exe
-
Size
2.7MB
-
MD5
9f883f2908f53b5fb73c1be1a271f740
-
SHA1
8c58e0e886a615cee214ae5d861991cb95739026
-
SHA256
32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
-
SHA512
4544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f883f2908f53b5fb73c1be1a271f740.exe"C:\Users\Admin\AppData\Local\Temp\9f883f2908f53b5fb73c1be1a271f740.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9f883f2908f53b5fb73c1be1a271f740
SHA18c58e0e886a615cee214ae5d861991cb95739026
SHA25632ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
SHA5124544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9f883f2908f53b5fb73c1be1a271f740
SHA18c58e0e886a615cee214ae5d861991cb95739026
SHA25632ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
SHA5124544d26c451755aa25ecca4476df273215e4d2a20db8d7b60ecda8a5f92dde76000df08ec5dad280476eef05ce6352fa599fbd364dcc3d575488c426f2e08938
-
memory/1204-123-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/1204-120-0x0000000000000000-mapping.dmp
-
memory/1204-124-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-125-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-126-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/1204-127-0x0000000001340000-0x0000000001A3A000-memory.dmpFilesize
7.0MB
-
memory/2444-118-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/2444-119-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-117-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-116-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/2444-115-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB