Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-01-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
47241b345de4eb4177705e586649da25.exe
Resource
win7-en-20211208
General
-
Target
47241b345de4eb4177705e586649da25.exe
-
Size
2.7MB
-
MD5
47241b345de4eb4177705e586649da25
-
SHA1
2d8be32cb553f1b9b15b248efd51823a14eda39b
-
SHA256
590d4f64a1063d7cdd9b224e7e73b6dd4b04dba2323e80aba08b4eff5eeb6fef
-
SHA512
4255e00a8fc85ddc6fb0f80b3c79d9e96bdc3b1687c44c093fd7056d1edfee049478ccc28a1d264d71b68d3bcb3b6c0647a101ad93d51c741213aada61ab680a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 268 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
47241b345de4eb4177705e586649da25.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 47241b345de4eb4177705e586649da25.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 47241b345de4eb4177705e586649da25.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
47241b345de4eb4177705e586649da25.exepid process 1588 47241b345de4eb4177705e586649da25.exe -
Processes:
resource yara_rule behavioral1/memory/1588-55-0x0000000000E50000-0x000000000154A000-memory.dmp themida behavioral1/memory/1588-56-0x0000000000E50000-0x000000000154A000-memory.dmp themida behavioral1/memory/1588-57-0x0000000000E50000-0x000000000154A000-memory.dmp themida behavioral1/memory/1588-58-0x0000000000E50000-0x000000000154A000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/268-63-0x0000000001030000-0x000000000172A000-memory.dmp themida behavioral1/memory/268-64-0x0000000001030000-0x000000000172A000-memory.dmp themida behavioral1/memory/268-65-0x0000000001030000-0x000000000172A000-memory.dmp themida behavioral1/memory/268-66-0x0000000001030000-0x000000000172A000-memory.dmp themida -
Processes:
47241b345de4eb4177705e586649da25.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 47241b345de4eb4177705e586649da25.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
47241b345de4eb4177705e586649da25.exeDpEditor.exepid process 1588 47241b345de4eb4177705e586649da25.exe 268 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 268 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
47241b345de4eb4177705e586649da25.exeDpEditor.exepid process 1588 47241b345de4eb4177705e586649da25.exe 268 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
47241b345de4eb4177705e586649da25.exedescription pid process target process PID 1588 wrote to memory of 268 1588 47241b345de4eb4177705e586649da25.exe DpEditor.exe PID 1588 wrote to memory of 268 1588 47241b345de4eb4177705e586649da25.exe DpEditor.exe PID 1588 wrote to memory of 268 1588 47241b345de4eb4177705e586649da25.exe DpEditor.exe PID 1588 wrote to memory of 268 1588 47241b345de4eb4177705e586649da25.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47241b345de4eb4177705e586649da25.exe"C:\Users\Admin\AppData\Local\Temp\47241b345de4eb4177705e586649da25.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
47241b345de4eb4177705e586649da25
SHA12d8be32cb553f1b9b15b248efd51823a14eda39b
SHA256590d4f64a1063d7cdd9b224e7e73b6dd4b04dba2323e80aba08b4eff5eeb6fef
SHA5124255e00a8fc85ddc6fb0f80b3c79d9e96bdc3b1687c44c093fd7056d1edfee049478ccc28a1d264d71b68d3bcb3b6c0647a101ad93d51c741213aada61ab680a
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
47241b345de4eb4177705e586649da25
SHA12d8be32cb553f1b9b15b248efd51823a14eda39b
SHA256590d4f64a1063d7cdd9b224e7e73b6dd4b04dba2323e80aba08b4eff5eeb6fef
SHA5124255e00a8fc85ddc6fb0f80b3c79d9e96bdc3b1687c44c093fd7056d1edfee049478ccc28a1d264d71b68d3bcb3b6c0647a101ad93d51c741213aada61ab680a
-
memory/268-60-0x0000000000000000-mapping.dmp
-
memory/268-63-0x0000000001030000-0x000000000172A000-memory.dmpFilesize
7.0MB
-
memory/268-64-0x0000000001030000-0x000000000172A000-memory.dmpFilesize
7.0MB
-
memory/268-65-0x0000000001030000-0x000000000172A000-memory.dmpFilesize
7.0MB
-
memory/268-66-0x0000000001030000-0x000000000172A000-memory.dmpFilesize
7.0MB
-
memory/1588-54-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1588-55-0x0000000000E50000-0x000000000154A000-memory.dmpFilesize
7.0MB
-
memory/1588-56-0x0000000000E50000-0x000000000154A000-memory.dmpFilesize
7.0MB
-
memory/1588-57-0x0000000000E50000-0x000000000154A000-memory.dmpFilesize
7.0MB
-
memory/1588-58-0x0000000000E50000-0x000000000154A000-memory.dmpFilesize
7.0MB