Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
26-07-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
FAC40C4A1764D50E1AE905029830E056.exe
Resource
win7-20220718-en
General
-
Target
FAC40C4A1764D50E1AE905029830E056.exe
-
Size
2.8MB
-
MD5
fac40c4a1764d50e1ae905029830e056
-
SHA1
6ea7a9e9e5fac4e480b4f03b8f37e55f1e6ba1cd
-
SHA256
4770daf7e7f55d16eee05512eb2c75df6f5df6e3a0f97858580a9d6ddfe012ad
-
SHA512
d4474dcb9de810f92c9d775efb7e6ffb7e4ec37757e6a6b9b0276ee04c311799cdb021f1b404440943f4ae4785d5a5d6def0d830017519939bcc458810a1149d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
DpEditor.exeowling.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ owling.exe -
Executes dropped EXE 2 IoCs
Processes:
owling.exeDpEditor.exepid process 916 owling.exe 856 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
owling.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion owling.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion owling.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeowling.exepid process 1448 cmd.exe 916 owling.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exe themida C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exe themida C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exe themida behavioral1/memory/916-62-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral1/memory/916-63-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral1/memory/916-64-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral1/memory/916-65-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral1/memory/916-67-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/916-77-0x0000000000ED0000-0x00000000015CA000-memory.dmp themida behavioral1/memory/856-79-0x0000000000100000-0x00000000007FA000-memory.dmp themida behavioral1/memory/856-80-0x0000000000100000-0x00000000007FA000-memory.dmp themida behavioral1/memory/856-82-0x0000000000100000-0x00000000007FA000-memory.dmp themida behavioral1/memory/856-81-0x0000000000100000-0x00000000007FA000-memory.dmp themida behavioral1/memory/856-83-0x0000000000100000-0x00000000007FA000-memory.dmp themida behavioral1/memory/856-85-0x0000000000100000-0x00000000007FA000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
owling.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA owling.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
FAC40C4A1764D50E1AE905029830E056.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum FAC40C4A1764D50E1AE905029830E056.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\ProductId FAC40C4A1764D50E1AE905029830E056.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
owling.exeDpEditor.exepid process 916 owling.exe 856 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FAC40C4A1764D50E1AE905029830E056.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 FAC40C4A1764D50E1AE905029830E056.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FAC40C4A1764D50E1AE905029830E056.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz FAC40C4A1764D50E1AE905029830E056.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 880 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 856 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
FAC40C4A1764D50E1AE905029830E056.exeowling.exeDpEditor.exepid process 828 FAC40C4A1764D50E1AE905029830E056.exe 916 owling.exe 856 DpEditor.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
FAC40C4A1764D50E1AE905029830E056.execmd.execmd.exeowling.exedescription pid process target process PID 828 wrote to memory of 1448 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1448 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1448 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1448 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 1448 wrote to memory of 916 1448 cmd.exe owling.exe PID 1448 wrote to memory of 916 1448 cmd.exe owling.exe PID 1448 wrote to memory of 916 1448 cmd.exe owling.exe PID 1448 wrote to memory of 916 1448 cmd.exe owling.exe PID 828 wrote to memory of 1188 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1188 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1188 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 828 wrote to memory of 1188 828 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 1188 wrote to memory of 880 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 880 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 880 1188 cmd.exe timeout.exe PID 1188 wrote to memory of 880 1188 cmd.exe timeout.exe PID 916 wrote to memory of 856 916 owling.exe DpEditor.exe PID 916 wrote to memory of 856 916 owling.exe DpEditor.exe PID 916 wrote to memory of 856 916 owling.exe DpEditor.exe PID 916 wrote to memory of 856 916 owling.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"1⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exeC:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 3 && del "C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -t 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
C:\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
\Users\Admin\AppData\Roaming\C97D573846210C2E\owling.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
memory/828-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/828-55-0x00000000005B0000-0x0000000000675000-memory.dmpFilesize
788KB
-
memory/828-70-0x00000000005B0000-0x0000000000675000-memory.dmpFilesize
788KB
-
memory/856-84-0x00000000778A0000-0x0000000077A20000-memory.dmpFilesize
1.5MB
-
memory/856-83-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-81-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-82-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-80-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-79-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-85-0x0000000000100000-0x00000000007FA000-memory.dmpFilesize
7.0MB
-
memory/856-73-0x0000000000000000-mapping.dmp
-
memory/880-71-0x0000000000000000-mapping.dmp
-
memory/916-77-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-76-0x0000000002C90000-0x000000000338A000-memory.dmpFilesize
7.0MB
-
memory/916-68-0x00000000778A0000-0x0000000077A20000-memory.dmpFilesize
1.5MB
-
memory/916-78-0x00000000778A0000-0x0000000077A20000-memory.dmpFilesize
1.5MB
-
memory/916-67-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-65-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-64-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-63-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-62-0x0000000000ED0000-0x00000000015CA000-memory.dmpFilesize
7.0MB
-
memory/916-59-0x0000000000000000-mapping.dmp
-
memory/1188-69-0x0000000000000000-mapping.dmp
-
memory/1448-66-0x0000000002040000-0x000000000273A000-memory.dmpFilesize
7.0MB
-
memory/1448-56-0x0000000000000000-mapping.dmp