Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-01-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
combir.exe
Resource
win7-en-20211208
General
-
Target
combir.exe
-
Size
2.7MB
-
MD5
13ec5227fe52bcf2fc8ca6b1dcc07641
-
SHA1
21a546771c1acdde48a8be21081ce0ae1e376bfb
-
SHA256
60c546941d7f705156881e6776c482c50f133d54ba520436291695fd39bff8bb
-
SHA512
bcd479d71b5f7a8a294d647f66ba2c7670c39270142bb86cf96a8ffb97a7d5dcefb654c29c926fd2f43917a7da9ca11215012e5a109aad6062ef9e9e65355928
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 368 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
combir.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion combir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion combir.exe -
Loads dropped DLL 1 IoCs
Processes:
combir.exepid process 1260 combir.exe -
Processes:
resource yara_rule behavioral1/memory/1260-55-0x0000000000140000-0x0000000000835000-memory.dmp themida behavioral1/memory/1260-56-0x0000000000140000-0x0000000000835000-memory.dmp themida behavioral1/memory/1260-57-0x0000000000140000-0x0000000000835000-memory.dmp themida behavioral1/memory/1260-58-0x0000000000140000-0x0000000000835000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/368-63-0x00000000011D0000-0x00000000018C5000-memory.dmp themida behavioral1/memory/368-64-0x00000000011D0000-0x00000000018C5000-memory.dmp themida behavioral1/memory/368-65-0x00000000011D0000-0x00000000018C5000-memory.dmp themida behavioral1/memory/368-66-0x00000000011D0000-0x00000000018C5000-memory.dmp themida -
Processes:
combir.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA combir.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
combir.exeDpEditor.exepid process 1260 combir.exe 368 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 368 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
combir.exeDpEditor.exepid process 1260 combir.exe 368 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
combir.exedescription pid process target process PID 1260 wrote to memory of 368 1260 combir.exe DpEditor.exe PID 1260 wrote to memory of 368 1260 combir.exe DpEditor.exe PID 1260 wrote to memory of 368 1260 combir.exe DpEditor.exe PID 1260 wrote to memory of 368 1260 combir.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\combir.exe"C:\Users\Admin\AppData\Local\Temp\combir.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
13ec5227fe52bcf2fc8ca6b1dcc07641
SHA121a546771c1acdde48a8be21081ce0ae1e376bfb
SHA25660c546941d7f705156881e6776c482c50f133d54ba520436291695fd39bff8bb
SHA512bcd479d71b5f7a8a294d647f66ba2c7670c39270142bb86cf96a8ffb97a7d5dcefb654c29c926fd2f43917a7da9ca11215012e5a109aad6062ef9e9e65355928
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
13ec5227fe52bcf2fc8ca6b1dcc07641
SHA121a546771c1acdde48a8be21081ce0ae1e376bfb
SHA25660c546941d7f705156881e6776c482c50f133d54ba520436291695fd39bff8bb
SHA512bcd479d71b5f7a8a294d647f66ba2c7670c39270142bb86cf96a8ffb97a7d5dcefb654c29c926fd2f43917a7da9ca11215012e5a109aad6062ef9e9e65355928
-
memory/368-60-0x0000000000000000-mapping.dmp
-
memory/368-63-0x00000000011D0000-0x00000000018C5000-memory.dmpFilesize
7.0MB
-
memory/368-64-0x00000000011D0000-0x00000000018C5000-memory.dmpFilesize
7.0MB
-
memory/368-65-0x00000000011D0000-0x00000000018C5000-memory.dmpFilesize
7.0MB
-
memory/368-66-0x00000000011D0000-0x00000000018C5000-memory.dmpFilesize
7.0MB
-
memory/1260-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1260-55-0x0000000000140000-0x0000000000835000-memory.dmpFilesize
7.0MB
-
memory/1260-56-0x0000000000140000-0x0000000000835000-memory.dmpFilesize
7.0MB
-
memory/1260-57-0x0000000000140000-0x0000000000835000-memory.dmpFilesize
7.0MB
-
memory/1260-58-0x0000000000140000-0x0000000000835000-memory.dmpFilesize
7.0MB