Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 08:06
Static task
static1
Behavioral task
behavioral1
Sample
86a4cdd8a4ce24624f28de4d77283dbb.exe
Resource
win7-20230220-en
General
-
Target
86a4cdd8a4ce24624f28de4d77283dbb.exe
-
Size
795KB
-
MD5
86a4cdd8a4ce24624f28de4d77283dbb
-
SHA1
c363e391e8a6db6b69444de2a7f1ba22f7f78eba
-
SHA256
bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a
-
SHA512
cd6d53a7e1564117ef8c9cc277bbb3ece668b211fbabef00192ccbbd916dfec9225fcf498248347b048957b123cfc0332e059aedf84d6f945411c8eed29f10db
-
SSDEEP
12288:RQMHUQ8/KyJa1XNrW1kQZTTU2pJrt0EeUOf9ngj6pGJ4iHfQG+HHIisH:KMHGyZJWDZTIMJWEeUe9nVi/b+HoBH
Malware Config
Extracted
cryptbot
http://ernlen22.top/gate.php
-
payload_url
http://ovalim02.top/magpie.dat
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
magpie.exeDpEditor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ magpie.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
magpie.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion magpie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion magpie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 86a4cdd8a4ce24624f28de4d77283dbb.exe -
Executes dropped EXE 2 IoCs
Processes:
magpie.exeDpEditor.exepid process 3772 magpie.exe 4444 DpEditor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe themida C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe themida behavioral2/memory/3772-239-0x00000000002A0000-0x0000000000984000-memory.dmp themida behavioral2/memory/3772-240-0x00000000002A0000-0x0000000000984000-memory.dmp themida behavioral2/memory/3772-241-0x00000000002A0000-0x0000000000984000-memory.dmp themida behavioral2/memory/3772-242-0x00000000002A0000-0x0000000000984000-memory.dmp themida behavioral2/memory/3772-243-0x00000000002A0000-0x0000000000984000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/3772-246-0x00000000002A0000-0x0000000000984000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/4444-249-0x0000000000F70000-0x0000000001654000-memory.dmp themida behavioral2/memory/4444-250-0x0000000000F70000-0x0000000001654000-memory.dmp themida behavioral2/memory/4444-251-0x0000000000F70000-0x0000000001654000-memory.dmp themida behavioral2/memory/4444-252-0x0000000000F70000-0x0000000001654000-memory.dmp themida behavioral2/memory/4444-253-0x0000000000F70000-0x0000000001654000-memory.dmp themida behavioral2/memory/4444-254-0x0000000000F70000-0x0000000001654000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
magpie.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA magpie.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 86a4cdd8a4ce24624f28de4d77283dbb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 86a4cdd8a4ce24624f28de4d77283dbb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
magpie.exeDpEditor.exepid process 3772 magpie.exe 4444 DpEditor.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exedescription pid process target process PID 2128 set thread context of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 86a4cdd8a4ce24624f28de4d77283dbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 86a4cdd8a4ce24624f28de4d77283dbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 86a4cdd8a4ce24624f28de4d77283dbb.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2920 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4444 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exemagpie.exeDpEditor.exepid process 688 86a4cdd8a4ce24624f28de4d77283dbb.exe 688 86a4cdd8a4ce24624f28de4d77283dbb.exe 3772 magpie.exe 3772 magpie.exe 4444 DpEditor.exe 4444 DpEditor.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
86a4cdd8a4ce24624f28de4d77283dbb.exe86a4cdd8a4ce24624f28de4d77283dbb.execmd.execmd.exemagpie.exedescription pid process target process PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 2128 wrote to memory of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe PID 688 wrote to memory of 4880 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 688 wrote to memory of 4880 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 688 wrote to memory of 4880 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 688 wrote to memory of 3340 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 688 wrote to memory of 3340 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 688 wrote to memory of 3340 688 86a4cdd8a4ce24624f28de4d77283dbb.exe cmd.exe PID 4880 wrote to memory of 3772 4880 cmd.exe magpie.exe PID 4880 wrote to memory of 3772 4880 cmd.exe magpie.exe PID 4880 wrote to memory of 3772 4880 cmd.exe magpie.exe PID 3340 wrote to memory of 2920 3340 cmd.exe timeout.exe PID 3340 wrote to memory of 2920 3340 cmd.exe timeout.exe PID 3340 wrote to memory of 2920 3340 cmd.exe timeout.exe PID 3772 wrote to memory of 4444 3772 magpie.exe DpEditor.exe PID 3772 wrote to memory of 4444 3772 magpie.exe DpEditor.exe PID 3772 wrote to memory of 4444 3772 magpie.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exeC:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\timeout.exetimeout -t 54⤵
- Delays execution with timeout.exe
PID:2920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C6E5.tmpFilesize
32B
MD56c99c51d3621703961bde7b5fd85ec77
SHA1475ed624240c8a2dc0efc8fdacddf835ac30dc57
SHA256abddf52ee2be0061ff49a15e681ee212fa054043cba80aa8a7064b71020f13ef
SHA512e29df0d87187a86dd5c54ff84d925af85d9355d67ff8b8bdd7ba72305c1fd1e34551aafafa4295566a9ad1715c736ceedbe9f066e0d400fd33f82f537d4bcec4
-
C:\Users\Admin\AppData\Local\Temp\C9C7.tmpFilesize
71KB
MD5386c014d0948d4fc41afa98cfca9022e
SHA1786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA51213d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f
-
C:\Users\Admin\AppData\Local\Temp\D387.tmpFilesize
2KB
MD577e31b1123e94ce5720ceb729a425798
SHA12b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA25668cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA5129c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a
-
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exeFilesize
2.6MB
MD57b151d5d1cc93ce12a0739aee4747551
SHA1e0f938edcae3de4059e9022d254f3dd04ad47991
SHA256f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad
SHA5123481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944
-
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exeFilesize
2.6MB
MD57b151d5d1cc93ce12a0739aee4747551
SHA1e0f938edcae3de4059e9022d254f3dd04ad47991
SHA256f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad
SHA5123481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.6MB
MD57b151d5d1cc93ce12a0739aee4747551
SHA1e0f938edcae3de4059e9022d254f3dd04ad47991
SHA256f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad
SHA5123481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.6MB
MD57b151d5d1cc93ce12a0739aee4747551
SHA1e0f938edcae3de4059e9022d254f3dd04ad47991
SHA256f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad
SHA5123481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944
-
memory/688-133-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/688-134-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/688-135-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/688-136-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/688-236-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3772-241-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/3772-242-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/3772-243-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/3772-240-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/3772-246-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/3772-239-0x00000000002A0000-0x0000000000984000-memory.dmpFilesize
6.9MB
-
memory/4444-249-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB
-
memory/4444-250-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB
-
memory/4444-251-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB
-
memory/4444-252-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB
-
memory/4444-253-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB
-
memory/4444-254-0x0000000000F70000-0x0000000001654000-memory.dmpFilesize
6.9MB