Analysis
-
max time kernel
110s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 20:59
General
-
Target
5ddb70a947f52b29d083ddadd99450de.exe
-
Size
2.7MB
-
MD5
5ddb70a947f52b29d083ddadd99450de
-
SHA1
2f19159806c183d007e7930d4ae2983322d96eb7
-
SHA256
181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
-
SHA512
e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ddb70a947f52b29d083ddadd99450de.exe"C:\Users\Admin\AppData\Local\Temp\5ddb70a947f52b29d083ddadd99450de.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
5ddb70a947f52b29d083ddadd99450de
SHA12f19159806c183d007e7930d4ae2983322d96eb7
SHA256181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
SHA512e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
5ddb70a947f52b29d083ddadd99450de
SHA12f19159806c183d007e7930d4ae2983322d96eb7
SHA256181c643f3fdc6fe8ff46c7526aadc4b8770b0d4efbb451b38dea5c9c48e90a3e
SHA512e45382de6c163e87046d7b96e45174dfb5b143271cb6fef24ea314336a21c97b90f3a1fe36d2b25936866c8675729048aa9db46b550f49140f2b64ad50f6d1e2
-
memory/600-118-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-115-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-119-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/600-117-0x0000000077AA0000-0x0000000077C2E000-memory.dmpFilesize
1.6MB
-
memory/600-116-0x0000000001030000-0x0000000001723000-memory.dmpFilesize
6.9MB
-
memory/1728-120-0x0000000000000000-mapping.dmp
-
memory/1728-123-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-124-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-125-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-126-0x0000000000BA0000-0x0000000001293000-memory.dmpFilesize
6.9MB
-
memory/1728-127-0x0000000077AA0000-0x0000000077C2E000-memory.dmpFilesize
1.6MB