Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-12-2021 10:36
Static task
static1
Behavioral task
behavioral1
Sample
1d2a39112767125a8ee84c1b63d070fe.exe
Resource
win7-en-20211208
General
-
Target
1d2a39112767125a8ee84c1b63d070fe.exe
-
Size
2.7MB
-
MD5
1d2a39112767125a8ee84c1b63d070fe
-
SHA1
f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
-
SHA256
5f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
-
SHA512
cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 588 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1d2a39112767125a8ee84c1b63d070fe.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1d2a39112767125a8ee84c1b63d070fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1d2a39112767125a8ee84c1b63d070fe.exe -
Processes:
resource yara_rule behavioral2/memory/344-116-0x0000000000D50000-0x0000000001452000-memory.dmp themida behavioral2/memory/344-117-0x0000000000D50000-0x0000000001452000-memory.dmp themida behavioral2/memory/344-118-0x0000000000D50000-0x0000000001452000-memory.dmp themida behavioral2/memory/344-119-0x0000000000D50000-0x0000000001452000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/588-124-0x00000000010E0000-0x00000000017E2000-memory.dmp themida behavioral2/memory/588-125-0x00000000010E0000-0x00000000017E2000-memory.dmp themida behavioral2/memory/588-126-0x00000000010E0000-0x00000000017E2000-memory.dmp themida behavioral2/memory/588-127-0x00000000010E0000-0x00000000017E2000-memory.dmp themida -
Processes:
1d2a39112767125a8ee84c1b63d070fe.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1d2a39112767125a8ee84c1b63d070fe.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1d2a39112767125a8ee84c1b63d070fe.exeDpEditor.exepid process 344 1d2a39112767125a8ee84c1b63d070fe.exe 588 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 588 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1d2a39112767125a8ee84c1b63d070fe.exeDpEditor.exepid process 344 1d2a39112767125a8ee84c1b63d070fe.exe 344 1d2a39112767125a8ee84c1b63d070fe.exe 588 DpEditor.exe 588 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1d2a39112767125a8ee84c1b63d070fe.exedescription pid process target process PID 344 wrote to memory of 588 344 1d2a39112767125a8ee84c1b63d070fe.exe DpEditor.exe PID 344 wrote to memory of 588 344 1d2a39112767125a8ee84c1b63d070fe.exe DpEditor.exe PID 344 wrote to memory of 588 344 1d2a39112767125a8ee84c1b63d070fe.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2a39112767125a8ee84c1b63d070fe.exe"C:\Users\Admin\AppData\Local\Temp\1d2a39112767125a8ee84c1b63d070fe.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1d2a39112767125a8ee84c1b63d070fe
SHA1f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
SHA2565f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
SHA512cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1d2a39112767125a8ee84c1b63d070fe
SHA1f6ae7e6351d8c16cf470d59a481ed053cfc55dd5
SHA2565f59627da5032edd29bca3798f9d9e67f441bec8a4fc3410360eb9a7bf567386
SHA512cba766ca4b875dd804d32289e018140fbd0a7ec439188571d05ed4b7ac2f64c11217756e2e42cf85d76abdc2456f08f67fb666aa9d0bdbc73996842f5a1e5efa
-
memory/344-118-0x0000000000D50000-0x0000000001452000-memory.dmpFilesize
7.0MB
-
memory/344-115-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB
-
memory/344-119-0x0000000000D50000-0x0000000001452000-memory.dmpFilesize
7.0MB
-
memory/344-117-0x0000000000D50000-0x0000000001452000-memory.dmpFilesize
7.0MB
-
memory/344-116-0x0000000000D50000-0x0000000001452000-memory.dmpFilesize
7.0MB
-
memory/588-120-0x0000000000000000-mapping.dmp
-
memory/588-123-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB
-
memory/588-124-0x00000000010E0000-0x00000000017E2000-memory.dmpFilesize
7.0MB
-
memory/588-125-0x00000000010E0000-0x00000000017E2000-memory.dmpFilesize
7.0MB
-
memory/588-126-0x00000000010E0000-0x00000000017E2000-memory.dmpFilesize
7.0MB
-
memory/588-127-0x00000000010E0000-0x00000000017E2000-memory.dmpFilesize
7.0MB