Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-12-2021 17:58
General
-
Target
1f1248d5b199d9f25878f17d07dc7b94.exe
-
Size
2.8MB
-
MD5
1f1248d5b199d9f25878f17d07dc7b94
-
SHA1
46eea0b5d5d448ecc9d6a172efa620d46c5f6403
-
SHA256
9b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
-
SHA512
452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1248d5b199d9f25878f17d07dc7b94.exe"C:\Users\Admin\AppData\Local\Temp\1f1248d5b199d9f25878f17d07dc7b94.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1f1248d5b199d9f25878f17d07dc7b94
SHA146eea0b5d5d448ecc9d6a172efa620d46c5f6403
SHA2569b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
SHA512452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1f1248d5b199d9f25878f17d07dc7b94
SHA146eea0b5d5d448ecc9d6a172efa620d46c5f6403
SHA2569b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
SHA512452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
-
memory/1680-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1680-56-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-57-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-58-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-59-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1748-61-0x0000000000000000-mapping.dmp
-
memory/1748-64-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-65-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-66-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-67-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB