Analysis
-
max time kernel
48s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2022 21:25
Static task
static1
Behavioral task
behavioral1
Sample
FAC40C4A1764D50E1AE905029830E056.exe
Resource
win7-20220718-en
General
-
Target
FAC40C4A1764D50E1AE905029830E056.exe
-
Size
2.8MB
-
MD5
fac40c4a1764d50e1ae905029830e056
-
SHA1
6ea7a9e9e5fac4e480b4f03b8f37e55f1e6ba1cd
-
SHA256
4770daf7e7f55d16eee05512eb2c75df6f5df6e3a0f97858580a9d6ddfe012ad
-
SHA512
d4474dcb9de810f92c9d775efb7e6ffb7e4ec37757e6a6b9b0276ee04c311799cdb021f1b404440943f4ae4785d5a5d6def0d830017519939bcc458810a1149d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
owling.exeDpEditor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ owling.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe -
Executes dropped EXE 2 IoCs
Processes:
owling.exeDpEditor.exepid process 4112 owling.exe 4768 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
owling.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion owling.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion owling.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FAC40C4A1764D50E1AE905029830E056.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation FAC40C4A1764D50E1AE905029830E056.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exe themida C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exe themida behavioral2/memory/4112-141-0x0000000000500000-0x0000000000BFA000-memory.dmp themida behavioral2/memory/4112-142-0x0000000000500000-0x0000000000BFA000-memory.dmp themida behavioral2/memory/4112-143-0x0000000000500000-0x0000000000BFA000-memory.dmp themida behavioral2/memory/4112-144-0x0000000000500000-0x0000000000BFA000-memory.dmp themida behavioral2/memory/4112-146-0x0000000000500000-0x0000000000BFA000-memory.dmp themida behavioral2/memory/4112-150-0x0000000000500000-0x0000000000BFA000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4112-155-0x0000000000500000-0x0000000000BFA000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4768-156-0x0000000000960000-0x000000000105A000-memory.dmp themida behavioral2/memory/4768-158-0x0000000000960000-0x000000000105A000-memory.dmp themida behavioral2/memory/4768-159-0x0000000000960000-0x000000000105A000-memory.dmp themida behavioral2/memory/4768-160-0x0000000000960000-0x000000000105A000-memory.dmp themida behavioral2/memory/4768-161-0x0000000000960000-0x000000000105A000-memory.dmp themida behavioral2/memory/4768-163-0x0000000000960000-0x000000000105A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
owling.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA owling.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
FAC40C4A1764D50E1AE905029830E056.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum FAC40C4A1764D50E1AE905029830E056.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ProductId FAC40C4A1764D50E1AE905029830E056.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
owling.exeDpEditor.exepid process 4112 owling.exe 4768 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FAC40C4A1764D50E1AE905029830E056.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz FAC40C4A1764D50E1AE905029830E056.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 FAC40C4A1764D50E1AE905029830E056.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FAC40C4A1764D50E1AE905029830E056.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3776 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4768 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
FAC40C4A1764D50E1AE905029830E056.exeowling.exeDpEditor.exepid process 3012 FAC40C4A1764D50E1AE905029830E056.exe 3012 FAC40C4A1764D50E1AE905029830E056.exe 4112 owling.exe 4112 owling.exe 4768 DpEditor.exe 4768 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
FAC40C4A1764D50E1AE905029830E056.execmd.execmd.exeowling.exedescription pid process target process PID 3012 wrote to memory of 3636 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 3012 wrote to memory of 3636 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 3012 wrote to memory of 3636 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 3636 wrote to memory of 4112 3636 cmd.exe owling.exe PID 3636 wrote to memory of 4112 3636 cmd.exe owling.exe PID 3636 wrote to memory of 4112 3636 cmd.exe owling.exe PID 3012 wrote to memory of 4796 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 3012 wrote to memory of 4796 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 3012 wrote to memory of 4796 3012 FAC40C4A1764D50E1AE905029830E056.exe cmd.exe PID 4796 wrote to memory of 3776 4796 cmd.exe timeout.exe PID 4796 wrote to memory of 3776 4796 cmd.exe timeout.exe PID 4796 wrote to memory of 3776 4796 cmd.exe timeout.exe PID 4112 wrote to memory of 4768 4112 owling.exe DpEditor.exe PID 4112 wrote to memory of 4768 4112 owling.exe DpEditor.exe PID 4112 wrote to memory of 4768 4112 owling.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exeC:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 3 && del "C:\Users\Admin\AppData\Local\Temp\FAC40C4A1764D50E1AE905029830E056.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -t 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
C:\Users\Admin\AppData\Roaming\58D2165709DF7362\owling.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.7MB
MD550fd2e384930313efd3a065e42640ab2
SHA1089c33598c43d3fd9df9d1801eb4606d8868b67b
SHA256f2fbd49a912441ea5c845e6349f219465e4bf3da856f9ea4a4ec075e11553535
SHA512399ce88c01dde9ec7d17093e2a3a69ff6bc3de55bbb4e285f1c37d55670d329381db27e08f4d2e30a6e33bb7e9f360c4cde9f729e041a1fc727d0e5b204fb94a
-
memory/3012-148-0x0000000001160000-0x0000000001225000-memory.dmpFilesize
788KB
-
memory/3012-136-0x0000000001160000-0x0000000001225000-memory.dmpFilesize
788KB
-
memory/3012-135-0x0000000001160000-0x0000000001225000-memory.dmpFilesize
788KB
-
memory/3636-137-0x0000000000000000-mapping.dmp
-
memory/3776-149-0x0000000000000000-mapping.dmp
-
memory/4112-142-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-138-0x0000000000000000-mapping.dmp
-
memory/4112-146-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-157-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4112-144-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-143-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-150-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-151-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4112-145-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4112-141-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4112-155-0x0000000000500000-0x0000000000BFA000-memory.dmpFilesize
7.0MB
-
memory/4768-152-0x0000000000000000-mapping.dmp
-
memory/4768-156-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-158-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-159-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-160-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-161-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-162-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4768-163-0x0000000000960000-0x000000000105A000-memory.dmpFilesize
7.0MB
-
memory/4768-164-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4796-147-0x0000000000000000-mapping.dmp