Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe
Resource
win7-en-20211208
General
-
Target
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe
-
Size
2.9MB
-
MD5
167d1f7c7288ab824af9c18a09145102
-
SHA1
e0eb15a2897c257a1af93047e49e45999d859fe5
-
SHA256
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758
-
SHA512
dd34ee7be017fdb72ce9ac416784196588d7cee711401af377e534a302f994ae10de0311e41e9d286ace1d1fb86b45e3c6e87066868a1ae26cb3e8fa5e9a1d11
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 476 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 1 IoCs
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exepid process 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe -
Processes:
resource yara_rule behavioral1/memory/1668-56-0x00000000000B0000-0x000000000080F000-memory.dmp themida behavioral1/memory/1668-57-0x00000000000B0000-0x000000000080F000-memory.dmp themida behavioral1/memory/1668-58-0x00000000000B0000-0x000000000080F000-memory.dmp themida behavioral1/memory/1668-59-0x00000000000B0000-0x000000000080F000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/476-63-0x0000000000A50000-0x00000000011AF000-memory.dmp themida behavioral1/memory/476-64-0x0000000000A50000-0x00000000011AF000-memory.dmp themida behavioral1/memory/476-65-0x0000000000A50000-0x00000000011AF000-memory.dmp themida behavioral1/memory/476-66-0x0000000000A50000-0x00000000011AF000-memory.dmp themida -
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exeDpEditor.exepid process 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe 476 DpEditor.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 476 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exeDpEditor.exepid process 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe 476 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exedescription pid process target process PID 1668 wrote to memory of 476 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe DpEditor.exe PID 1668 wrote to memory of 476 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe DpEditor.exe PID 1668 wrote to memory of 476 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe DpEditor.exe PID 1668 wrote to memory of 476 1668 91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe"C:\Users\Admin\AppData\Local\Temp\91dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
167d1f7c7288ab824af9c18a09145102
SHA1e0eb15a2897c257a1af93047e49e45999d859fe5
SHA25691dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758
SHA512dd34ee7be017fdb72ce9ac416784196588d7cee711401af377e534a302f994ae10de0311e41e9d286ace1d1fb86b45e3c6e87066868a1ae26cb3e8fa5e9a1d11
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
167d1f7c7288ab824af9c18a09145102
SHA1e0eb15a2897c257a1af93047e49e45999d859fe5
SHA25691dddb4e611f8c67d861725d881562cb4b0660f1d071713b4cc8b8d2f1767758
SHA512dd34ee7be017fdb72ce9ac416784196588d7cee711401af377e534a302f994ae10de0311e41e9d286ace1d1fb86b45e3c6e87066868a1ae26cb3e8fa5e9a1d11
-
memory/476-63-0x0000000000A50000-0x00000000011AF000-memory.dmpFilesize
7.4MB
-
memory/476-64-0x0000000000A50000-0x00000000011AF000-memory.dmpFilesize
7.4MB
-
memory/476-65-0x0000000000A50000-0x00000000011AF000-memory.dmpFilesize
7.4MB
-
memory/476-66-0x0000000000A50000-0x00000000011AF000-memory.dmpFilesize
7.4MB
-
memory/1668-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000077590000-0x0000000077592000-memory.dmpFilesize
8KB
-
memory/1668-56-0x00000000000B0000-0x000000000080F000-memory.dmpFilesize
7.4MB
-
memory/1668-57-0x00000000000B0000-0x000000000080F000-memory.dmpFilesize
7.4MB
-
memory/1668-58-0x00000000000B0000-0x000000000080F000-memory.dmpFilesize
7.4MB
-
memory/1668-59-0x00000000000B0000-0x000000000080F000-memory.dmpFilesize
7.4MB