Analysis
-
max time kernel
144s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 17:23
Static task
static1
Behavioral task
behavioral1
Sample
90189f8dffe3cbfbb1dc181647b2219b.exe
Resource
win7-20230220-en
General
-
Target
90189f8dffe3cbfbb1dc181647b2219b.exe
-
Size
2.3MB
-
MD5
90189f8dffe3cbfbb1dc181647b2219b
-
SHA1
118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
-
SHA256
9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
-
SHA512
c0f469355304226bf0d3ecb84f877d10da0d35695011d3d1cd7bb3a7d2330ee92f6cdd9eea5d1c75c29a140f45f7a67f3b779db645c71b1272eb9c046d85f96a
-
SSDEEP
24576:SdyOaWSMdZo5NYyyVo6cc0WwZ/ct3mW2ny/v/LtGZsYjot0hq+BMGzHOMJWv+pA+:SdyO++HiqAMe/i/09y/6j
Malware Config
Extracted
cryptbot
http://ivyhur32.top/gate.php
-
payload_url
http://womheq04.top/favism.dat
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
favism.exeDpEditor.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ favism.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
favism.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion favism.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion favism.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2036 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
favism.exeDpEditor.exepid process 1496 favism.exe 1668 DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exefavism.exepid process 1624 cmd.exe 1496 favism.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe themida C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe themida C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe themida behavioral1/memory/1496-147-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida behavioral1/memory/1496-148-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida behavioral1/memory/1496-151-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida behavioral1/memory/1496-152-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida behavioral1/memory/1496-154-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/1496-159-0x0000000000DB0000-0x00000000014FA000-memory.dmp themida behavioral1/memory/1668-161-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-162-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-163-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-164-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-165-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-166-0x0000000001150000-0x000000000189A000-memory.dmp themida behavioral1/memory/1668-167-0x0000000001150000-0x000000000189A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
favism.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA favism.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 90189f8dffe3cbfbb1dc181647b2219b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 90189f8dffe3cbfbb1dc181647b2219b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
favism.exeDpEditor.exepid process 1496 favism.exe 1668 DpEditor.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exedescription pid process target process PID 1520 set thread context of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 90189f8dffe3cbfbb1dc181647b2219b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 90189f8dffe3cbfbb1dc181647b2219b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 90189f8dffe3cbfbb1dc181647b2219b.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1528 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1668 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exefavism.exeDpEditor.exepid process 2000 90189f8dffe3cbfbb1dc181647b2219b.exe 1496 favism.exe 1668 DpEditor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exedescription pid process Token: SeDebugPrivilege 1520 90189f8dffe3cbfbb1dc181647b2219b.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
90189f8dffe3cbfbb1dc181647b2219b.exe90189f8dffe3cbfbb1dc181647b2219b.execmd.execmd.exefavism.exedescription pid process target process PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 1520 wrote to memory of 2000 1520 90189f8dffe3cbfbb1dc181647b2219b.exe 90189f8dffe3cbfbb1dc181647b2219b.exe PID 2000 wrote to memory of 1624 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 1624 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 1624 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 1624 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 1624 wrote to memory of 1496 1624 cmd.exe favism.exe PID 1624 wrote to memory of 1496 1624 cmd.exe favism.exe PID 1624 wrote to memory of 1496 1624 cmd.exe favism.exe PID 1624 wrote to memory of 1496 1624 cmd.exe favism.exe PID 2000 wrote to memory of 2036 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 2036 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 2036 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2000 wrote to memory of 2036 2000 90189f8dffe3cbfbb1dc181647b2219b.exe cmd.exe PID 2036 wrote to memory of 1528 2036 cmd.exe timeout.exe PID 2036 wrote to memory of 1528 2036 cmd.exe timeout.exe PID 2036 wrote to memory of 1528 2036 cmd.exe timeout.exe PID 2036 wrote to memory of 1528 2036 cmd.exe timeout.exe PID 1496 wrote to memory of 1668 1496 favism.exe DpEditor.exe PID 1496 wrote to memory of 1668 1496 favism.exe DpEditor.exe PID 1496 wrote to memory of 1668 1496 favism.exe DpEditor.exe PID 1496 wrote to memory of 1668 1496 favism.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe"C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exeC:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe2⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exeC:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\90189f8dffe3cbfbb1dc181647b2219b.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -t 54⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\242B.tmpFilesize
32B
MD53b33d980229e76222b961d17fd5aa43d
SHA143a761a68478e66db8f1dbce4b7a56ff2ce4fd20
SHA256bd6e8000665e82408208cdf1fcc74a925c13c5a6492c252ca0153ce19f4141d3
SHA5128e4e22744ed0e62a86d2df15df709b1498beea7359b64ac086679ef0fbceacd94ab9fca452b1234bbef17a87f5c6200104e84b934b8ed4bad3b1d26c68b5729d
-
C:\Users\Admin\AppData\Local\Temp\24CB.tmpFilesize
71KB
MD56a3c2fe239e67cd5804a699b9aa54b07
SHA1018091f0c903173dec18cd10e0e00889f0717d67
SHA256160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37
-
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exeFilesize
2.8MB
MD5c80174066854ead10f62934ae4329c1b
SHA158b216cc2ed0dacf6b7c6b76b2203697d1151dc7
SHA256961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab
SHA512100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7
-
C:\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exeFilesize
2.8MB
MD5c80174066854ead10f62934ae4329c1b
SHA158b216cc2ed0dacf6b7c6b76b2203697d1151dc7
SHA256961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab
SHA512100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD5c80174066854ead10f62934ae4329c1b
SHA158b216cc2ed0dacf6b7c6b76b2203697d1151dc7
SHA256961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab
SHA512100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7
-
\Users\Admin\AppData\Roaming\C3B5D66740B0A4B3\favism.exeFilesize
2.8MB
MD5c80174066854ead10f62934ae4329c1b
SHA158b216cc2ed0dacf6b7c6b76b2203697d1151dc7
SHA256961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab
SHA512100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7
-
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeFilesize
2.8MB
MD5c80174066854ead10f62934ae4329c1b
SHA158b216cc2ed0dacf6b7c6b76b2203697d1151dc7
SHA256961c6e5c5634b4d7d09472fa06f6868377398019f7742e45398ae6b7a79c74ab
SHA512100b707d4946a752339658000e6bd1c3d98e2f25f006711329cb972304edabc5eeed6df86ef47073748882d1882e204e4a93c9e5d0dfffebb228bbc5ec6b57f7
-
memory/1496-147-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1496-159-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1496-154-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1496-152-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1496-151-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1496-148-0x0000000000DB0000-0x00000000014FA000-memory.dmpFilesize
7.3MB
-
memory/1520-55-0x0000000000950000-0x0000000000990000-memory.dmpFilesize
256KB
-
memory/1520-54-0x0000000000D80000-0x0000000000FDC000-memory.dmpFilesize
2.4MB
-
memory/1520-57-0x0000000004EB0000-0x0000000004F42000-memory.dmpFilesize
584KB
-
memory/1520-56-0x00000000054D0000-0x0000000005686000-memory.dmpFilesize
1.7MB
-
memory/1624-149-0x0000000002120000-0x000000000286A000-memory.dmpFilesize
7.3MB
-
memory/1668-167-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-166-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-165-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-164-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-163-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-162-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/1668-161-0x0000000001150000-0x000000000189A000-memory.dmpFilesize
7.3MB
-
memory/2000-64-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-63-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-153-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-61-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-62-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-69-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2000-66-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-68-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-58-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-59-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2000-60-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB