Analysis
-
max time kernel
110s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 20:59
Static task
static1
Behavioral task
behavioral1
Sample
5ddb70a947f52b29d083ddadd99450de.exe
Resource
win7-en-20211208
General
-
Target
5ddb70a947f52b29d083ddadd99450de.exe
-
Size
2.7MB
-
MD5
5ddb70a947f52b29d083ddadd99450de
-
SHA1
2f19159806c183d007e7930d4ae2983322d96eb7
-
SHA256
181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
-
SHA512
e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 1728 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5ddb70a947f52b29d083ddadd99450de.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5ddb70a947f52b29d083ddadd99450de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5ddb70a947f52b29d083ddadd99450de.exe -
Processes:
resource yara_rule behavioral2/memory/600-115-0x0000000001030000-0x0000000001723000-memory.dmp themida behavioral2/memory/600-116-0x0000000001030000-0x0000000001723000-memory.dmp themida behavioral2/memory/600-118-0x0000000001030000-0x0000000001723000-memory.dmp themida behavioral2/memory/600-119-0x0000000001030000-0x0000000001723000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1728-123-0x0000000000BA0000-0x0000000001293000-memory.dmp themida behavioral2/memory/1728-124-0x0000000000BA0000-0x0000000001293000-memory.dmp themida behavioral2/memory/1728-125-0x0000000000BA0000-0x0000000001293000-memory.dmp themida behavioral2/memory/1728-126-0x0000000000BA0000-0x0000000001293000-memory.dmp themida -
Processes:
5ddb70a947f52b29d083ddadd99450de.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5ddb70a947f52b29d083ddadd99450de.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
5ddb70a947f52b29d083ddadd99450de.exeDpEditor.exepid process 600 5ddb70a947f52b29d083ddadd99450de.exe 1728 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1728 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5ddb70a947f52b29d083ddadd99450de.exeDpEditor.exepid process 600 5ddb70a947f52b29d083ddadd99450de.exe 600 5ddb70a947f52b29d083ddadd99450de.exe 1728 DpEditor.exe 1728 DpEditor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5ddb70a947f52b29d083ddadd99450de.exedescription pid process target process PID 600 wrote to memory of 1728 600 5ddb70a947f52b29d083ddadd99450de.exe DpEditor.exe PID 600 wrote to memory of 1728 600 5ddb70a947f52b29d083ddadd99450de.exe DpEditor.exe PID 600 wrote to memory of 1728 600 5ddb70a947f52b29d083ddadd99450de.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ddb70a947f52b29d083ddadd99450de.exe"C:\Users\Admin\AppData\Local\Temp\5ddb70a947f52b29d083ddadd99450de.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
5ddb70a947f52b29d083ddadd99450de
SHA12f19159806c183d007e7930d4ae2983322d96eb7
SHA256181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
SHA512e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
5ddb70a947f52b29d083ddadd99450de
SHA12f19159806c183d007e7930d4ae2983322d96eb7
SHA256181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
SHA512e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
-
memory/600-118-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-115-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-119-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-117-0x0000000077AA0000-0x0000000077C2E000-memory.dmpFilesize
1.6MB
-
memory/600-116-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/1728-120-0x0000000000000000-mapping.dmp
-
memory/1728-123-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-124-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-125-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-126-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-127-0x0000000077AA0000-0x0000000077C2E000-memory.dmpFilesize
1.6MB