Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 18:39
Behavioral task
behavioral1
Sample
Notepad++.exe
Resource
win7-20230220-en
General
-
Target
Notepad++.exe
-
Size
9.5MB
-
MD5
53e4fa88bd8c51ba2d913380e3de6a2c
-
SHA1
9b4b91444e9ead8c667e87c36f08a7d2ebf3309b
-
SHA256
e8ae1f376e40875ff96c2b322faecee3b7f013b36662d9e45eed733f870994d0
-
SHA512
b48fab3b7aba5aa22b4d0d536cb7919d6a515c4450d2416ee029ad1fcda6933eb72a5658d9e1e1638bb377e84e1a397e922fbfe34e18522b1d3855208fbea97c
-
SSDEEP
196608:o1wjFLQPnIGNOfhw3tMGo6ysjLf0qCgFMh9uF9CeQ0mHEDzg/aymNd7t7:ljFUmW3tMTXGz7A5vHEDzMaB
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Notepad++.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Notepad++.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Notepad++.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Notepad++.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Notepad++.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Notepad++.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Notepad++.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Notepad++.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Notepad++.exe -
Processes:
resource yara_rule behavioral2/memory/3064-141-0x0000000000400000-0x0000000001A96000-memory.dmp themida behavioral2/memory/3064-142-0x0000000000400000-0x0000000001A96000-memory.dmp themida -
Processes:
Notepad++.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notepad++.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Notepad++.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Notepad++.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Notepad++.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Notepad++.exepid process 3064 Notepad++.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Notepad++.exepid process 3064 Notepad++.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Notepad++.exedescription pid process Token: SeDebugPrivilege 3064 Notepad++.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Notepad++.exepid process 3064 Notepad++.exe 3064 Notepad++.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad++.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3064-133-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/3064-141-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/3064-142-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/3064-143-0x0000000006580000-0x0000000006B24000-memory.dmpFilesize
5.6MB
-
memory/3064-144-0x0000000006270000-0x0000000006302000-memory.dmpFilesize
584KB
-
memory/3064-145-0x0000000006310000-0x0000000006376000-memory.dmpFilesize
408KB
-
memory/3064-146-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-147-0x0000000007100000-0x0000000007112000-memory.dmpFilesize
72KB
-
memory/3064-148-0x00000000073F0000-0x00000000073FA000-memory.dmpFilesize
40KB
-
memory/3064-158-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-159-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-167-0x00000000080D0000-0x000000000810C000-memory.dmpFilesize
240KB
-
memory/3064-168-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/3064-169-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-170-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-171-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB
-
memory/3064-172-0x0000000006570000-0x0000000006580000-memory.dmpFilesize
64KB