Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 09:48
Static task
static1
General
-
Target
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe
-
Size
2.7MB
-
MD5
1d2a39112767125a8ee84c1b63d070fe
-
SHA1
f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
-
SHA256
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
-
SHA512
cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 748 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral1/memory/3788-116-0x0000000000CC0000-0x00000000013C2000-memory.dmp themida behavioral1/memory/3788-117-0x0000000000CC0000-0x00000000013C2000-memory.dmp themida behavioral1/memory/3788-118-0x0000000000CC0000-0x00000000013C2000-memory.dmp themida behavioral1/memory/3788-119-0x0000000000CC0000-0x00000000013C2000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/748-123-0x0000000000B10000-0x0000000001212000-memory.dmp themida behavioral1/memory/748-124-0x0000000000B10000-0x0000000001212000-memory.dmp themida behavioral1/memory/748-126-0x0000000000B10000-0x0000000001212000-memory.dmp themida behavioral1/memory/748-127-0x0000000000B10000-0x0000000001212000-memory.dmp themida -
Processes:
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exeDpEditor.exepid process 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe 748 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 748 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exeDpEditor.exepid process 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe 748 DpEditor.exe 748 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exedescription pid process target process PID 3788 wrote to memory of 748 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe DpEditor.exe PID 3788 wrote to memory of 748 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe DpEditor.exe PID 3788 wrote to memory of 748 3788 5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe"C:\Users\Admin\AppData\Local\Temp\5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1d2a39112767125a8ee84c1b63d070fe
SHA1f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
SHA2565f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
SHA512cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1d2a39112767125a8ee84c1b63d070fe
SHA1f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
SHA2565f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
SHA512cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
-
memory/748-124-0x0000000000B10000-0x0000000001212000-memory.dmpFilesize
7.0MB
-
memory/748-120-0x0000000000000000-mapping.dmp
-
memory/748-123-0x0000000000B10000-0x0000000001212000-memory.dmpFilesize
7.0MB
-
memory/748-125-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB
-
memory/748-126-0x0000000000B10000-0x0000000001212000-memory.dmpFilesize
7.0MB
-
memory/748-127-0x0000000000B10000-0x0000000001212000-memory.dmpFilesize
7.0MB
-
memory/3788-118-0x0000000000CC0000-0x00000000013C2000-memory.dmpFilesize
7.0MB
-
memory/3788-119-0x0000000000CC0000-0x00000000013C2000-memory.dmpFilesize
7.0MB
-
memory/3788-117-0x0000000000CC0000-0x00000000013C2000-memory.dmpFilesize
7.0MB
-
memory/3788-116-0x0000000000CC0000-0x00000000013C2000-memory.dmpFilesize
7.0MB
-
memory/3788-115-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB