Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 14:24
Static task
static1
Behavioral task
behavioral1
Sample
af36c20219a8f5fa58d205a9e5db1cc1.exe
Resource
win7-en-20211208
General
-
Target
af36c20219a8f5fa58d205a9e5db1cc1.exe
-
Size
2.7MB
-
MD5
af36c20219a8f5fa58d205a9e5db1cc1
-
SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f
-
SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
-
SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 4072 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
af36c20219a8f5fa58d205a9e5db1cc1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion af36c20219a8f5fa58d205a9e5db1cc1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion af36c20219a8f5fa58d205a9e5db1cc1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral2/memory/2428-115-0x0000000000C20000-0x0000000001316000-memory.dmp themida behavioral2/memory/2428-116-0x0000000000C20000-0x0000000001316000-memory.dmp themida behavioral2/memory/2428-117-0x0000000000C20000-0x0000000001316000-memory.dmp themida behavioral2/memory/2428-118-0x0000000000C20000-0x0000000001316000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4072-123-0x00000000008E0000-0x0000000000FD6000-memory.dmp themida behavioral2/memory/4072-124-0x00000000008E0000-0x0000000000FD6000-memory.dmp themida behavioral2/memory/4072-125-0x00000000008E0000-0x0000000000FD6000-memory.dmp themida behavioral2/memory/4072-126-0x00000000008E0000-0x0000000000FD6000-memory.dmp themida -
Processes:
af36c20219a8f5fa58d205a9e5db1cc1.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA af36c20219a8f5fa58d205a9e5db1cc1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
af36c20219a8f5fa58d205a9e5db1cc1.exeDpEditor.exepid process 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe 4072 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4072 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
af36c20219a8f5fa58d205a9e5db1cc1.exeDpEditor.exepid process 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe 4072 DpEditor.exe 4072 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
af36c20219a8f5fa58d205a9e5db1cc1.exedescription pid process target process PID 2428 wrote to memory of 4072 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe DpEditor.exe PID 2428 wrote to memory of 4072 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe DpEditor.exe PID 2428 wrote to memory of 4072 2428 af36c20219a8f5fa58d205a9e5db1cc1.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af36c20219a8f5fa58d205a9e5db1cc1.exe"C:\Users\Admin\AppData\Local\Temp\af36c20219a8f5fa58d205a9e5db1cc1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
af36c20219a8f5fa58d205a9e5db1cc1
SHA117356b91dd8292bddea7300c3a9fc1a98fccd11f
SHA2563276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA512443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e
-
memory/2428-118-0x0000000000C20000-0x0000000001316000-memory.dmpFilesize
7.0MB
-
memory/2428-115-0x0000000000C20000-0x0000000001316000-memory.dmpFilesize
7.0MB
-
memory/2428-119-0x00000000775A0000-0x000000007772E000-memory.dmpFilesize
1.6MB
-
memory/2428-117-0x0000000000C20000-0x0000000001316000-memory.dmpFilesize
7.0MB
-
memory/2428-116-0x0000000000C20000-0x0000000001316000-memory.dmpFilesize
7.0MB
-
memory/4072-120-0x0000000000000000-mapping.dmp
-
memory/4072-123-0x00000000008E0000-0x0000000000FD6000-memory.dmpFilesize
7.0MB
-
memory/4072-124-0x00000000008E0000-0x0000000000FD6000-memory.dmpFilesize
7.0MB
-
memory/4072-125-0x00000000008E0000-0x0000000000FD6000-memory.dmpFilesize
7.0MB
-
memory/4072-126-0x00000000008E0000-0x0000000000FD6000-memory.dmpFilesize
7.0MB
-
memory/4072-127-0x00000000775A0000-0x000000007772E000-memory.dmpFilesize
1.6MB