Analysis
-
max time kernel
208s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
homyel.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
homyel.exe
Resource
win10v2004-20220414-en
General
-
Target
homyel.exe
-
Size
2.8MB
-
MD5
8d83e980468557de9b7e71f7d972541b
-
SHA1
55a4226f5308ea659c68b61686af10398344de77
-
SHA256
ab406a77d2072ede4e117eaaaff8ed953a70f999044dc4beeac69a98853e8c9e
-
SHA512
ef2e404028c6e8239ad9f67b449c7546c96c6a918e9bcc3427574d809a3e4f9f7ea9e79b3a7584aa176b84e07934600c1b1cd1fbb25581788f3de15144cfe981
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
homyel.exeDpEditor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ homyel.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe -
Executes dropped EXE 1 IoCs
Processes:
DpEditor.exepid process 912 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
homyel.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion homyel.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion homyel.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Drops startup file 1 IoCs
Processes:
DpEditor.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncsyncer.lnk DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
homyel.exeDpEditor.exepid process 1852 homyel.exe 912 DpEditor.exe -
Processes:
resource yara_rule behavioral1/memory/1852-55-0x00000000009E0000-0x000000000111F000-memory.dmp themida behavioral1/memory/1852-56-0x00000000009E0000-0x000000000111F000-memory.dmp themida behavioral1/memory/1852-57-0x00000000009E0000-0x000000000111F000-memory.dmp themida behavioral1/memory/1852-58-0x00000000009E0000-0x000000000111F000-memory.dmp themida behavioral1/memory/1852-59-0x00000000009E0000-0x000000000111F000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1852-65-0x00000000009E0000-0x000000000111F000-memory.dmp themida behavioral1/memory/912-67-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida behavioral1/memory/912-69-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida behavioral1/memory/912-70-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida behavioral1/memory/912-71-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida behavioral1/memory/912-72-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida behavioral1/memory/912-73-0x0000000000CB0000-0x00000000013EF000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DpEditor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NCH Sync Service = "C:\\Users\\Admin\\AppData\\Roaming\\NCH Software\\DrawPad\\DpEditor.exe" DpEditor.exe -
Processes:
homyel.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA homyel.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
homyel.exeDpEditor.exepid process 1852 homyel.exe 912 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 912 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
homyel.exeDpEditor.exepid process 1852 homyel.exe 912 DpEditor.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
homyel.exedescription pid process target process PID 1852 wrote to memory of 912 1852 homyel.exe DpEditor.exe PID 1852 wrote to memory of 912 1852 homyel.exe DpEditor.exe PID 1852 wrote to memory of 912 1852 homyel.exe DpEditor.exe PID 1852 wrote to memory of 912 1852 homyel.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\homyel.exe"C:\Users\Admin\AppData\Local\Temp\homyel.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD58d83e980468557de9b7e71f7d972541b
SHA155a4226f5308ea659c68b61686af10398344de77
SHA256ab406a77d2072ede4e117eaaaff8ed953a70f999044dc4beeac69a98853e8c9e
SHA512ef2e404028c6e8239ad9f67b449c7546c96c6a918e9bcc3427574d809a3e4f9f7ea9e79b3a7584aa176b84e07934600c1b1cd1fbb25581788f3de15144cfe981
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD58d83e980468557de9b7e71f7d972541b
SHA155a4226f5308ea659c68b61686af10398344de77
SHA256ab406a77d2072ede4e117eaaaff8ed953a70f999044dc4beeac69a98853e8c9e
SHA512ef2e404028c6e8239ad9f67b449c7546c96c6a918e9bcc3427574d809a3e4f9f7ea9e79b3a7584aa176b84e07934600c1b1cd1fbb25581788f3de15144cfe981
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD58d83e980468557de9b7e71f7d972541b
SHA155a4226f5308ea659c68b61686af10398344de77
SHA256ab406a77d2072ede4e117eaaaff8ed953a70f999044dc4beeac69a98853e8c9e
SHA512ef2e404028c6e8239ad9f67b449c7546c96c6a918e9bcc3427574d809a3e4f9f7ea9e79b3a7584aa176b84e07934600c1b1cd1fbb25581788f3de15144cfe981
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD58d83e980468557de9b7e71f7d972541b
SHA155a4226f5308ea659c68b61686af10398344de77
SHA256ab406a77d2072ede4e117eaaaff8ed953a70f999044dc4beeac69a98853e8c9e
SHA512ef2e404028c6e8239ad9f67b449c7546c96c6a918e9bcc3427574d809a3e4f9f7ea9e79b3a7584aa176b84e07934600c1b1cd1fbb25581788f3de15144cfe981
-
memory/912-67-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/912-76-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/912-73-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/912-72-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/912-71-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/912-62-0x0000000000000000-mapping.dmp
-
memory/912-70-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/912-69-0x0000000000CB0000-0x00000000013EF000-memory.dmpFilesize
7.2MB
-
memory/1852-59-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB
-
memory/1852-68-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1852-66-0x0000000002C40000-0x000000000337F000-memory.dmpFilesize
7.2MB
-
memory/1852-65-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB
-
memory/1852-60-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1852-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1852-58-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB
-
memory/1852-57-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB
-
memory/1852-56-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB
-
memory/1852-55-0x00000000009E0000-0x000000000111F000-memory.dmpFilesize
7.2MB