Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 20:10
Static task
static1
General
-
Target
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe
-
Size
2.7MB
-
MD5
99b6ee52d0dc5a07bff09373a8dda2fe
-
SHA1
616c52af96614c86623829b604b0eda3cf29af28
-
SHA256
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067
-
SHA512
338babef8e40c74ab6957b226e90457d9a0db9f4007235a2df699d4ba6797f571c957b743c1324acad579fd50fd128af47550e5680f92fa7ce276f5cc9d3c12e
Malware Config
Extracted
cryptbot
hevahu32.top
morypd03.top
-
payload_url
http://kyrpbr04.top/download.php?file=orrery.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
File.exeDpEditor.exepid process 1752 File.exe 2868 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
File.exeDpEditor.exe7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2732-115-0x0000000000B60000-0x000000000124F000-memory.dmp themida behavioral1/memory/2732-116-0x0000000000B60000-0x000000000124F000-memory.dmp themida behavioral1/memory/2732-118-0x0000000000B60000-0x000000000124F000-memory.dmp themida behavioral1/memory/2732-119-0x0000000000B60000-0x000000000124F000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\File.exe themida C:\Users\Admin\AppData\Local\Temp\File.exe themida behavioral1/memory/1752-140-0x0000000000E20000-0x0000000001510000-memory.dmp themida behavioral1/memory/1752-141-0x0000000000E20000-0x0000000001510000-memory.dmp themida behavioral1/memory/1752-143-0x0000000000E20000-0x0000000001510000-memory.dmp themida behavioral1/memory/1752-144-0x0000000000E20000-0x0000000001510000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/2868-149-0x0000000001060000-0x0000000001750000-memory.dmp themida behavioral1/memory/2868-150-0x0000000001060000-0x0000000001750000-memory.dmp themida behavioral1/memory/2868-151-0x0000000001060000-0x0000000001750000-memory.dmp themida behavioral1/memory/2868-152-0x0000000001060000-0x0000000001750000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exeFile.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exeFile.exeDpEditor.exepid process 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe 1752 File.exe 2868 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3396 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 2868 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exeFile.exeDpEditor.exepid process 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe 1752 File.exe 1752 File.exe 2868 DpEditor.exe 2868 DpEditor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.execmd.exeFile.exedescription pid process target process PID 2732 wrote to memory of 1752 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe File.exe PID 2732 wrote to memory of 1752 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe File.exe PID 2732 wrote to memory of 1752 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe File.exe PID 2732 wrote to memory of 2908 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe cmd.exe PID 2732 wrote to memory of 2908 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe cmd.exe PID 2732 wrote to memory of 2908 2732 7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe cmd.exe PID 2908 wrote to memory of 3396 2908 cmd.exe timeout.exe PID 2908 wrote to memory of 3396 2908 cmd.exe timeout.exe PID 2908 wrote to memory of 3396 2908 cmd.exe timeout.exe PID 1752 wrote to memory of 2868 1752 File.exe DpEditor.exe PID 1752 wrote to memory of 2868 1752 File.exe DpEditor.exe PID 1752 wrote to memory of 2868 1752 File.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe"C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\CRUTBG~1.ZIPMD5
00023c0ba717929107a5445b3cfe554b
SHA12cf3bfcadd6935fa180d266f2268bc5a643f3152
SHA25620333027306eecf4201b20b6280897f63710276a8e00226bb7fa6b3857fa6fbc
SHA5122def93a8a7b1b7e7410dee9d14c9afca934c76ab0fe0f41fca8350f1cb575776e20aff563b606d3835846085a447927cb9b8b511dc769985f3432bdd2306f0c2
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\HLPUHN~1.ZIPMD5
14b4c3020451a5337e20c34eac179af8
SHA17cacad89f5cbbd42d520f89d5bcded5c149f35f8
SHA2562a8d93fdab021fc663a2cbe0b621c83333210209d65f82f2bb8d61c11cbf7ca4
SHA512eb1dbfc757a7effdcbbc9be635b38725f0293e3e1492f42c1ad8c35dcddf6d1786735cf387442817129afa91edbfa74757f62280c73b9541310fb688dce47e87
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Files\RENAME~1.TXTMD5
ccc1e1636bc273489df0f99e7847c1bd
SHA147c283cd8878a8f7b87ed975d1de192b86f43b27
SHA25604b1907dc161d6de96f7d4f0159b6d573535a0d3e3841b2a7bb436ea62cbfa5a
SHA512991e3f5663fc9bb76531b960587dd8fb18e538b07dbad6055abbdb89621412734e38975d496fe55531e4519214d82e9493d1044393ee18482dd094b8d327b9a5
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_INFOR~1.TXTMD5
b8ca58b7256a180415e81c2c8f09dbe0
SHA13c12b6d826babd7d74a029b7c0f6c05c288ae809
SHA2568cfbb57b94be9704b7d47af0aaca3c796ec0cd2cedcf2fd1d656156ab1412cc7
SHA5123e8b29d1f3564088901af8e3ecfb0084c8d8ba73d2c01c37735a235d516a318b98ffd51b63aef2c40567ff65f0022a0301efc5fed96650f0cdb1400829e64984
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_SCREE~1.JPEMD5
98a585429a98dba130734a729bc4bd63
SHA166535f3ade886bcfc3adf7f0c590e6713039bb47
SHA2569d43f94d13c4e78b40a7f405dbd6702d0171298556ac40a2f350ffd90f14daf0
SHA5127d648560c0dacd121876210d5360487838503419d91db89dd274343bd29f2922ea64535dd40bb2f8f0ca8ec21243ab5008361eff51ca47b56f82baaa17ac2b01
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\SCREEN~1.JPGMD5
98a585429a98dba130734a729bc4bd63
SHA166535f3ade886bcfc3adf7f0c590e6713039bb47
SHA2569d43f94d13c4e78b40a7f405dbd6702d0171298556ac40a2f350ffd90f14daf0
SHA5127d648560c0dacd121876210d5360487838503419d91db89dd274343bd29f2922ea64535dd40bb2f8f0ca8ec21243ab5008361eff51ca47b56f82baaa17ac2b01
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\SYSTEM~1.TXTMD5
b8ca58b7256a180415e81c2c8f09dbe0
SHA13c12b6d826babd7d74a029b7c0f6c05c288ae809
SHA2568cfbb57b94be9704b7d47af0aaca3c796ec0cd2cedcf2fd1d656156ab1412cc7
SHA5123e8b29d1f3564088901af8e3ecfb0084c8d8ba73d2c01c37735a235d516a318b98ffd51b63aef2c40567ff65f0022a0301efc5fed96650f0cdb1400829e64984
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\files\RENAME~1.TXTMD5
ccc1e1636bc273489df0f99e7847c1bd
SHA147c283cd8878a8f7b87ed975d1de192b86f43b27
SHA25604b1907dc161d6de96f7d4f0159b6d573535a0d3e3841b2a7bb436ea62cbfa5a
SHA512991e3f5663fc9bb76531b960587dd8fb18e538b07dbad6055abbdb89621412734e38975d496fe55531e4519214d82e9493d1044393ee18482dd094b8d327b9a5
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
memory/1752-143-0x0000000000E20000-0x0000000001510000-memory.dmpFilesize
6.9MB
-
memory/1752-140-0x0000000000E20000-0x0000000001510000-memory.dmpFilesize
6.9MB
-
memory/1752-120-0x0000000000000000-mapping.dmp
-
memory/1752-145-0x00000000774B0000-0x000000007763E000-memory.dmpFilesize
1.6MB
-
memory/1752-144-0x0000000000E20000-0x0000000001510000-memory.dmpFilesize
6.9MB
-
memory/1752-141-0x0000000000E20000-0x0000000001510000-memory.dmpFilesize
6.9MB
-
memory/2732-115-0x0000000000B60000-0x000000000124F000-memory.dmpFilesize
6.9MB
-
memory/2732-117-0x00000000774B0000-0x000000007763E000-memory.dmpFilesize
1.6MB
-
memory/2732-118-0x0000000000B60000-0x000000000124F000-memory.dmpFilesize
6.9MB
-
memory/2732-119-0x0000000000B60000-0x000000000124F000-memory.dmpFilesize
6.9MB
-
memory/2732-116-0x0000000000B60000-0x000000000124F000-memory.dmpFilesize
6.9MB
-
memory/2868-146-0x0000000000000000-mapping.dmp
-
memory/2868-149-0x0000000001060000-0x0000000001750000-memory.dmpFilesize
6.9MB
-
memory/2868-150-0x0000000001060000-0x0000000001750000-memory.dmpFilesize
6.9MB
-
memory/2868-151-0x0000000001060000-0x0000000001750000-memory.dmpFilesize
6.9MB
-
memory/2868-152-0x0000000001060000-0x0000000001750000-memory.dmpFilesize
6.9MB
-
memory/2868-153-0x00000000774B0000-0x000000007763E000-memory.dmpFilesize
1.6MB
-
memory/2908-123-0x0000000000000000-mapping.dmp
-
memory/3396-142-0x0000000000000000-mapping.dmp