Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-12-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
1f1248d5b199d9f25878f17d07dc7b94.exe
Resource
win7-en-20211208
General
-
Target
1f1248d5b199d9f25878f17d07dc7b94.exe
-
Size
2.8MB
-
MD5
1f1248d5b199d9f25878f17d07dc7b94
-
SHA1
46eea0b5d5d448ecc9d6a172efa620d46c5f6403
-
SHA256
9b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
-
SHA512
452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1748 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1f1248d5b199d9f25878f17d07dc7b94.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f1248d5b199d9f25878f17d07dc7b94.exe -
Loads dropped DLL 1 IoCs
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exepid process 1680 1f1248d5b199d9f25878f17d07dc7b94.exe -
Processes:
resource yara_rule behavioral1/memory/1680-56-0x00000000001A0000-0x00000000008DE000-memory.dmp themida behavioral1/memory/1680-57-0x00000000001A0000-0x00000000008DE000-memory.dmp themida behavioral1/memory/1680-58-0x00000000001A0000-0x00000000008DE000-memory.dmp themida behavioral1/memory/1680-59-0x00000000001A0000-0x00000000008DE000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1748-64-0x0000000001120000-0x000000000185E000-memory.dmp themida behavioral1/memory/1748-65-0x0000000001120000-0x000000000185E000-memory.dmp themida behavioral1/memory/1748-66-0x0000000001120000-0x000000000185E000-memory.dmp themida behavioral1/memory/1748-67-0x0000000001120000-0x000000000185E000-memory.dmp themida -
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1f1248d5b199d9f25878f17d07dc7b94.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exeDpEditor.exepid process 1680 1f1248d5b199d9f25878f17d07dc7b94.exe 1748 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1748 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exeDpEditor.exepid process 1680 1f1248d5b199d9f25878f17d07dc7b94.exe 1748 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f1248d5b199d9f25878f17d07dc7b94.exedescription pid process target process PID 1680 wrote to memory of 1748 1680 1f1248d5b199d9f25878f17d07dc7b94.exe DpEditor.exe PID 1680 wrote to memory of 1748 1680 1f1248d5b199d9f25878f17d07dc7b94.exe DpEditor.exe PID 1680 wrote to memory of 1748 1680 1f1248d5b199d9f25878f17d07dc7b94.exe DpEditor.exe PID 1680 wrote to memory of 1748 1680 1f1248d5b199d9f25878f17d07dc7b94.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1248d5b199d9f25878f17d07dc7b94.exe"C:\Users\Admin\AppData\Local\Temp\1f1248d5b199d9f25878f17d07dc7b94.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1f1248d5b199d9f25878f17d07dc7b94
SHA146eea0b5d5d448ecc9d6a172efa620d46c5f6403
SHA2569b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
SHA512452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1f1248d5b199d9f25878f17d07dc7b94
SHA146eea0b5d5d448ecc9d6a172efa620d46c5f6403
SHA2569b5b14675edb065f1c9a148a736e1673f2b8e77b4b1b66263e76f6ddbb766a12
SHA512452f61e02d216b793081b846144ca2808a2dd65211b737c1f036350f0c615231fb67a33686fd8960dd050813e5abd2b313da10268eab3dfe5d2c8e1463cc09bc
-
memory/1680-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1680-56-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-57-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-58-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1680-59-0x00000000001A0000-0x00000000008DE000-memory.dmpFilesize
7.2MB
-
memory/1748-61-0x0000000000000000-mapping.dmp
-
memory/1748-64-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-65-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-66-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB
-
memory/1748-67-0x0000000001120000-0x000000000185E000-memory.dmpFilesize
7.2MB