Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-12-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
25d69c5f67b09e17dd21e832956b43c8.exe
Resource
win7-en-20211208
General
-
Target
25d69c5f67b09e17dd21e832956b43c8.exe
-
Size
2.7MB
-
MD5
25d69c5f67b09e17dd21e832956b43c8
-
SHA1
fef354161268d73eb8be8f93d63f2241567df06a
-
SHA256
e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359
-
SHA512
4970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1084 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exe25d69c5f67b09e17dd21e832956b43c8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 25d69c5f67b09e17dd21e832956b43c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 25d69c5f67b09e17dd21e832956b43c8.exe -
Loads dropped DLL 1 IoCs
Processes:
25d69c5f67b09e17dd21e832956b43c8.exepid process 1584 25d69c5f67b09e17dd21e832956b43c8.exe -
Processes:
resource yara_rule behavioral1/memory/1584-55-0x00000000012C0000-0x00000000019AD000-memory.dmp themida behavioral1/memory/1584-56-0x00000000012C0000-0x00000000019AD000-memory.dmp themida behavioral1/memory/1584-57-0x00000000012C0000-0x00000000019AD000-memory.dmp themida behavioral1/memory/1584-58-0x00000000012C0000-0x00000000019AD000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1084-63-0x0000000000120000-0x000000000080D000-memory.dmp themida behavioral1/memory/1084-64-0x0000000000120000-0x000000000080D000-memory.dmp themida behavioral1/memory/1084-66-0x0000000000120000-0x000000000080D000-memory.dmp themida behavioral1/memory/1084-65-0x0000000000120000-0x000000000080D000-memory.dmp themida -
Processes:
25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 25d69c5f67b09e17dd21e832956b43c8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exepid process 1584 25d69c5f67b09e17dd21e832956b43c8.exe 1084 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1084 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exepid process 1584 25d69c5f67b09e17dd21e832956b43c8.exe 1084 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
25d69c5f67b09e17dd21e832956b43c8.exedescription pid process target process PID 1584 wrote to memory of 1084 1584 25d69c5f67b09e17dd21e832956b43c8.exe DpEditor.exe PID 1584 wrote to memory of 1084 1584 25d69c5f67b09e17dd21e832956b43c8.exe DpEditor.exe PID 1584 wrote to memory of 1084 1584 25d69c5f67b09e17dd21e832956b43c8.exe DpEditor.exe PID 1584 wrote to memory of 1084 1584 25d69c5f67b09e17dd21e832956b43c8.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d69c5f67b09e17dd21e832956b43c8.exe"C:\Users\Admin\AppData\Local\Temp\25d69c5f67b09e17dd21e832956b43c8.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
25d69c5f67b09e17dd21e832956b43c8
SHA1fef354161268d73eb8be8f93d63f2241567df06a
SHA256e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359
SHA5124970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
25d69c5f67b09e17dd21e832956b43c8
SHA1fef354161268d73eb8be8f93d63f2241567df06a
SHA256e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359
SHA5124970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00
-
memory/1084-60-0x0000000000000000-mapping.dmp
-
memory/1084-63-0x0000000000120000-0x000000000080D000-memory.dmpFilesize
6.9MB
-
memory/1084-64-0x0000000000120000-0x000000000080D000-memory.dmpFilesize
6.9MB
-
memory/1084-66-0x0000000000120000-0x000000000080D000-memory.dmpFilesize
6.9MB
-
memory/1084-65-0x0000000000120000-0x000000000080D000-memory.dmpFilesize
6.9MB
-
memory/1584-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1584-55-0x00000000012C0000-0x00000000019AD000-memory.dmpFilesize
6.9MB
-
memory/1584-56-0x00000000012C0000-0x00000000019AD000-memory.dmpFilesize
6.9MB
-
memory/1584-57-0x00000000012C0000-0x00000000019AD000-memory.dmpFilesize
6.9MB
-
memory/1584-58-0x00000000012C0000-0x00000000019AD000-memory.dmpFilesize
6.9MB