Resubmissions
06-12-2022 13:52
221206-q6sdqsdc23 1021-09-2022 08:18
220921-j7eqpsbdep 921-09-2022 07:05
220921-hwvr4sffe3 921-09-2022 05:39
220921-gca3xsahbn 9Analysis
-
max time kernel
508s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 07:05
Static task
static1
General
-
Target
859c659aee8b897aeebf4b87364cc6d1.exe
-
Size
2.4MB
-
MD5
859c659aee8b897aeebf4b87364cc6d1
-
SHA1
c362e37f2a75447fe19eab90a6eba3dd3fa402e7
-
SHA256
b2fdf16f56a53ec57134d20655a23d5919c022a97cf7da4087bd6bf9f3704bb6
-
SHA512
b5a1ddf62be64eb5b58e674032884095e5a4ec190f4a8944e71efdc7f1faf57cfd5a9af7cd3d3040c1c3912ea4afafbfbea5cbe8532d5326f5c8d48f304a7ee6
-
SSDEEP
49152:d7BbOYaReQpAxY+TuQ/tymHRuKjQdT8K:nbOYakQpA++TuQ/tymHRumS
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lutzen.exe -
Executes dropped EXE 2 IoCs
pid Process 3268 lutzen.exe 4396 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lutzen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lutzen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 859c659aee8b897aeebf4b87364cc6d1.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncsyncer.lnk DpEditor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0008000000022e37-138.dat themida behavioral1/files/0x0008000000022e37-139.dat themida behavioral1/memory/3268-140-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/memory/3268-141-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/memory/3268-142-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/memory/3268-143-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/memory/3268-144-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/files/0x0007000000022e53-147.dat themida behavioral1/files/0x0007000000022e53-148.dat themida behavioral1/memory/3268-149-0x0000000000210000-0x00000000008F8000-memory.dmp themida behavioral1/memory/4396-151-0x0000000000790000-0x0000000000E78000-memory.dmp themida behavioral1/memory/4396-152-0x0000000000790000-0x0000000000E78000-memory.dmp themida behavioral1/memory/4396-153-0x0000000000790000-0x0000000000E78000-memory.dmp themida behavioral1/memory/4396-155-0x0000000000790000-0x0000000000E78000-memory.dmp themida behavioral1/memory/4396-154-0x0000000000790000-0x0000000000E78000-memory.dmp themida behavioral1/memory/4396-157-0x0000000000790000-0x0000000000E78000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NCH Sync Service = "C:\\Users\\Admin\\AppData\\Roaming\\NCH Software\\DrawPad\\DpEditor.exe" DpEditor.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lutzen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 859c659aee8b897aeebf4b87364cc6d1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ProductId 859c659aee8b897aeebf4b87364cc6d1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3268 lutzen.exe 4396 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 859c659aee8b897aeebf4b87364cc6d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 859c659aee8b897aeebf4b87364cc6d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 859c659aee8b897aeebf4b87364cc6d1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2272 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4396 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2840 859c659aee8b897aeebf4b87364cc6d1.exe 2840 859c659aee8b897aeebf4b87364cc6d1.exe 3268 lutzen.exe 3268 lutzen.exe 4396 DpEditor.exe 4396 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2840 wrote to memory of 4604 2840 859c659aee8b897aeebf4b87364cc6d1.exe 84 PID 2840 wrote to memory of 4604 2840 859c659aee8b897aeebf4b87364cc6d1.exe 84 PID 2840 wrote to memory of 4604 2840 859c659aee8b897aeebf4b87364cc6d1.exe 84 PID 2840 wrote to memory of 4820 2840 859c659aee8b897aeebf4b87364cc6d1.exe 86 PID 2840 wrote to memory of 4820 2840 859c659aee8b897aeebf4b87364cc6d1.exe 86 PID 2840 wrote to memory of 4820 2840 859c659aee8b897aeebf4b87364cc6d1.exe 86 PID 4820 wrote to memory of 2272 4820 cmd.exe 88 PID 4820 wrote to memory of 2272 4820 cmd.exe 88 PID 4820 wrote to memory of 2272 4820 cmd.exe 88 PID 4604 wrote to memory of 3268 4604 cmd.exe 89 PID 4604 wrote to memory of 3268 4604 cmd.exe 89 PID 4604 wrote to memory of 3268 4604 cmd.exe 89 PID 3268 wrote to memory of 4396 3268 lutzen.exe 92 PID 3268 wrote to memory of 4396 3268 lutzen.exe 92 PID 3268 wrote to memory of 4396 3268 lutzen.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\859c659aee8b897aeebf4b87364cc6d1.exe"C:\Users\Admin\AppData\Local\Temp\859c659aee8b897aeebf4b87364cc6d1.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\A3A745C56BDAE80F\lutzen.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\A3A745C56BDAE80F\lutzen.exeC:\Users\Admin\AppData\Roaming\A3A745C56BDAE80F\lutzen.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\859c659aee8b897aeebf4b87364cc6d1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:2272
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51c6a420c26ae08ca1f1d7e6a1ae1e462
SHA1d3cbac0f481d7c6c1fb2274d533c9ce1756fe579
SHA25643f6ee2aa859ad45bdc8afa4c2ea1f31f1925bee9a9eb5c716eec9ffb5c88cb3
SHA5124b59323e8edd82a6ccd3ad6bf22f202f11679c7f5bcf0c24daae9e80b409d826730c794db4a1478a6e8ae91d8ad6c238f11f8ece6daee17c80d292fc53afe328
-
Filesize
2.6MB
MD51c6a420c26ae08ca1f1d7e6a1ae1e462
SHA1d3cbac0f481d7c6c1fb2274d533c9ce1756fe579
SHA25643f6ee2aa859ad45bdc8afa4c2ea1f31f1925bee9a9eb5c716eec9ffb5c88cb3
SHA5124b59323e8edd82a6ccd3ad6bf22f202f11679c7f5bcf0c24daae9e80b409d826730c794db4a1478a6e8ae91d8ad6c238f11f8ece6daee17c80d292fc53afe328
-
Filesize
2.6MB
MD51c6a420c26ae08ca1f1d7e6a1ae1e462
SHA1d3cbac0f481d7c6c1fb2274d533c9ce1756fe579
SHA25643f6ee2aa859ad45bdc8afa4c2ea1f31f1925bee9a9eb5c716eec9ffb5c88cb3
SHA5124b59323e8edd82a6ccd3ad6bf22f202f11679c7f5bcf0c24daae9e80b409d826730c794db4a1478a6e8ae91d8ad6c238f11f8ece6daee17c80d292fc53afe328
-
Filesize
2.6MB
MD51c6a420c26ae08ca1f1d7e6a1ae1e462
SHA1d3cbac0f481d7c6c1fb2274d533c9ce1756fe579
SHA25643f6ee2aa859ad45bdc8afa4c2ea1f31f1925bee9a9eb5c716eec9ffb5c88cb3
SHA5124b59323e8edd82a6ccd3ad6bf22f202f11679c7f5bcf0c24daae9e80b409d826730c794db4a1478a6e8ae91d8ad6c238f11f8ece6daee17c80d292fc53afe328