4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac

General

Target

792cef7a7b7a68ccd4348e7b17aae3a7.exe
Size

2.7MB
MD5

792cef7a7b7a68ccd4348e7b17aae3a7
SHA1

9b90b4f292488b4b8df943f4937d4158f2c3d392
SHA256

4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac
SHA512

b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

DpEditor.exe

pid process

2208 DpEditor.exe

pid	process
2208	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	792cef7a7b7a68ccd4348e7b17aae3a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	792cef7a7b7a68ccd4348e7b17aae3a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2608-115-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2608-116-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2608-118-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
behavioral2/memory/2608-119-0x0000000000EC0000-0x00000000015B0000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/2208-123-0x0000000000180000-0x0000000000870000-memory.dmp	themida
behavioral2/memory/2208-124-0x0000000000180000-0x0000000000870000-memory.dmp	themida
behavioral2/memory/2208-126-0x0000000000180000-0x0000000000870000-memory.dmp	themida
behavioral2/memory/2208-127-0x0000000000180000-0x0000000000870000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	792cef7a7b7a68ccd4348e7b17aae3a7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exe

pid process

2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe
2208 DpEditor.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

2208 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

792cef7a7b7a68ccd4348e7b17aae3a7.exeDpEditor.exe

pid process

2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe
2608 792cef7a7b7a68ccd4348e7b17aae3a7.exe
2208 DpEditor.exe
2208 DpEditor.exe

pid	process
2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe
2208	DpEditor.exe

pid	process
2208	DpEditor.exe

pid	process
2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe
2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe
2208	DpEditor.exe
2208	DpEditor.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

792cef7a7b7a68ccd4348e7b17aae3a7.exe

description	pid	process	target process
PID 2608 wrote to memory of 2208	2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe	DpEditor.exe
PID 2608 wrote to memory of 2208	2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe	DpEditor.exe
PID 2608 wrote to memory of 2208	2608	792cef7a7b7a68ccd4348e7b17aae3a7.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe
"C:\Users\Admin\AppData\Local\Temp\792cef7a7b7a68ccd4348e7b17aae3a7.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
792cef7a7b7a68ccd4348e7b17aae3a7

SHA1
9b90b4f292488b4b8df943f4937d4158f2c3d392

SHA256
4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac

SHA512
b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
792cef7a7b7a68ccd4348e7b17aae3a7

SHA1
9b90b4f292488b4b8df943f4937d4158f2c3d392

SHA256
4d0ebd85da282bb75b2439f9baa30c3ff3788e556c32713e48f786defe408eac

SHA512
b023222cbece71f806651fdb15ec8140931a605ea2e7c75a3e254fab2b9007274ff5cabd0b03175c9d70dc4c6a078a1989c4a7618d9bf2805ba3cc009e53c620

Download Submit
memory/2208-124-0x0000000000180000-0x0000000000870000-memory.dmp

Filesize
6.9MB

Download
memory/2208-120-0x0000000000000000-mapping.dmp

Download
memory/2208-123-0x0000000000180000-0x0000000000870000-memory.dmp

Filesize
6.9MB

Download
memory/2208-125-0x00000000771F0000-0x000000007737E000-memory.dmp

Filesize
1.6MB

Download
memory/2208-126-0x0000000000180000-0x0000000000870000-memory.dmp

Filesize
6.9MB

Download
memory/2208-127-0x0000000000180000-0x0000000000870000-memory.dmp

Filesize
6.9MB

Download
memory/2608-118-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2608-119-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2608-117-0x00000000771F0000-0x000000007737E000-memory.dmp

Filesize
1.6MB

Download
memory/2608-116-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download
memory/2608-115-0x0000000000EC0000-0x00000000015B0000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads