Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 23:28
General
-
Target
e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a.exe
-
Size
2.6MB
-
MD5
c794262c17250a3760186c2d1f72a84c
-
SHA1
9d07fdc5250ec7beffd08dc0b18a4a5cea7bfeea
-
SHA256
e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a
-
SHA512
1d129bd4175fc122c2678534b0a0274ef32fd683620a979af666c19693d37a79b001630e9bcb60873cdc5a62c8c1ba3cadaea1563ba330eb71fdf347902750b0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a.exe"C:\Users\Admin\AppData\Local\Temp\e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c794262c17250a3760186c2d1f72a84c
SHA19d07fdc5250ec7beffd08dc0b18a4a5cea7bfeea
SHA256e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a
SHA5121d129bd4175fc122c2678534b0a0274ef32fd683620a979af666c19693d37a79b001630e9bcb60873cdc5a62c8c1ba3cadaea1563ba330eb71fdf347902750b0
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c794262c17250a3760186c2d1f72a84c
SHA19d07fdc5250ec7beffd08dc0b18a4a5cea7bfeea
SHA256e7d3922aebdcd07674ddd3186393c9749559d11f1b741ca5997acb49405ba38a
SHA5121d129bd4175fc122c2678534b0a0274ef32fd683620a979af666c19693d37a79b001630e9bcb60873cdc5a62c8c1ba3cadaea1563ba330eb71fdf347902750b0
-
memory/692-63-0x00000000010B0000-0x0000000001793000-memory.dmpFilesize
6.9MB
-
memory/692-64-0x00000000010B0000-0x0000000001793000-memory.dmpFilesize
6.9MB
-
memory/692-65-0x00000000010B0000-0x0000000001793000-memory.dmpFilesize
6.9MB
-
memory/1224-55-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB
-
memory/1224-56-0x0000000000AD0000-0x00000000011B3000-memory.dmpFilesize
6.9MB
-
memory/1224-57-0x0000000000AD0000-0x00000000011B3000-memory.dmpFilesize
6.9MB
-
memory/1224-58-0x0000000000AD0000-0x00000000011B3000-memory.dmpFilesize
6.9MB
-
memory/1224-59-0x00000000770F0000-0x00000000770F2000-memory.dmpFilesize
8KB