Analysis
-
max time kernel
95s -
max time network
78s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
barmah.exe
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
barmah.exe
Resource
win11
General
-
Target
barmah.exe
-
Size
2.6MB
-
MD5
78d57a85010f954da7fe729449e2eaea
-
SHA1
3a2deacbdd3f43d35feddb0a09477cbcade95ac3
-
SHA256
5a3654dee85aae7f1644793e0c54dcb6948ab9d9b88d04c51b4fa1a18fd9a3f0
-
SHA512
1205c69b215054e37f0d5cddeca95ef80d9897a0667fda03f8908f76cb38b67b689409f4b6193bd543928acff4e26a3448ea8db517628b78bb112878dcbe7c28
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 4124 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
barmah.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion barmah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion barmah.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Processes:
resource yara_rule behavioral1/memory/4144-115-0x0000000000270000-0x0000000000950000-memory.dmp themida behavioral1/memory/4144-116-0x0000000000270000-0x0000000000950000-memory.dmp themida behavioral1/memory/4144-118-0x0000000000270000-0x0000000000950000-memory.dmp themida behavioral1/memory/4144-119-0x0000000000270000-0x0000000000950000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/4124-123-0x0000000000010000-0x00000000006F0000-memory.dmp themida behavioral1/memory/4124-124-0x0000000000010000-0x00000000006F0000-memory.dmp themida behavioral1/memory/4124-126-0x0000000000010000-0x00000000006F0000-memory.dmp themida behavioral1/memory/4124-127-0x0000000000010000-0x00000000006F0000-memory.dmp themida -
Processes:
barmah.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA barmah.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
barmah.exeDpEditor.exepid process 4144 barmah.exe 4124 DpEditor.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2504 taskkill.exe 3016 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4124 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
barmah.exeDpEditor.exetaskmgr.exepid process 4144 barmah.exe 4144 barmah.exe 4124 DpEditor.exe 4124 DpEditor.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4080 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskmgr.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4080 taskmgr.exe Token: SeSystemProfilePrivilege 4080 taskmgr.exe Token: SeCreateGlobalPrivilege 4080 taskmgr.exe Token: 33 4080 taskmgr.exe Token: SeIncBasePriorityPrivilege 4080 taskmgr.exe Token: SeDebugPrivilege 2504 taskkill.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
Processes:
taskmgr.exepid process 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
taskmgr.exepid process 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe 4080 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
barmah.exedescription pid process target process PID 4144 wrote to memory of 4124 4144 barmah.exe DpEditor.exe PID 4144 wrote to memory of 4124 4144 barmah.exe DpEditor.exe PID 4144 wrote to memory of 4124 4144 barmah.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\barmah.exe"C:\Users\Admin\AppData\Local\Temp\barmah.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im wininit.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" wininit.exe1⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
78d57a85010f954da7fe729449e2eaea
SHA13a2deacbdd3f43d35feddb0a09477cbcade95ac3
SHA2565a3654dee85aae7f1644793e0c54dcb6948ab9d9b88d04c51b4fa1a18fd9a3f0
SHA5121205c69b215054e37f0d5cddeca95ef80d9897a0667fda03f8908f76cb38b67b689409f4b6193bd543928acff4e26a3448ea8db517628b78bb112878dcbe7c28
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
78d57a85010f954da7fe729449e2eaea
SHA13a2deacbdd3f43d35feddb0a09477cbcade95ac3
SHA2565a3654dee85aae7f1644793e0c54dcb6948ab9d9b88d04c51b4fa1a18fd9a3f0
SHA5121205c69b215054e37f0d5cddeca95ef80d9897a0667fda03f8908f76cb38b67b689409f4b6193bd543928acff4e26a3448ea8db517628b78bb112878dcbe7c28
-
memory/4124-124-0x0000000000010000-0x00000000006F0000-memory.dmpFilesize
6.9MB
-
memory/4124-120-0x0000000000000000-mapping.dmp
-
memory/4124-123-0x0000000000010000-0x00000000006F0000-memory.dmpFilesize
6.9MB
-
memory/4124-125-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB
-
memory/4124-126-0x0000000000010000-0x00000000006F0000-memory.dmpFilesize
6.9MB
-
memory/4124-127-0x0000000000010000-0x00000000006F0000-memory.dmpFilesize
6.9MB
-
memory/4144-118-0x0000000000270000-0x0000000000950000-memory.dmpFilesize
6.9MB
-
memory/4144-119-0x0000000000270000-0x0000000000950000-memory.dmpFilesize
6.9MB
-
memory/4144-117-0x0000000076FF0000-0x000000007717E000-memory.dmpFilesize
1.6MB
-
memory/4144-116-0x0000000000270000-0x0000000000950000-memory.dmpFilesize
6.9MB
-
memory/4144-115-0x0000000000270000-0x0000000000950000-memory.dmpFilesize
6.9MB