f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8

General

Target

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
Size

2.7MB
MD5

c983192fb4b4f55d1d5a6bcaec5241db
SHA1

c8fae465e7e4595ab216a8efa614ad8ff87871d3
SHA256

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8
SHA512

48d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

DpEditor.exe

pid process

3136 DpEditor.exe

pid	process
3136	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DpEditor.exef4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2756-115-0x0000000000150000-0x000000000083A000-memory.dmp	themida
behavioral1/memory/2756-116-0x0000000000150000-0x000000000083A000-memory.dmp	themida
behavioral1/memory/2756-117-0x0000000000150000-0x000000000083A000-memory.dmp	themida
behavioral1/memory/2756-119-0x0000000000150000-0x000000000083A000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/3136-123-0x00000000013D0000-0x0000000001ABA000-memory.dmp	themida
behavioral1/memory/3136-124-0x00000000013D0000-0x0000000001ABA000-memory.dmp	themida
behavioral1/memory/3136-125-0x00000000013D0000-0x0000000001ABA000-memory.dmp	themida
behavioral1/memory/3136-126-0x00000000013D0000-0x0000000001ABA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exeDpEditor.exe

pid process

2756 f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
3136 DpEditor.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

3136 DpEditor.exe

pid	process
3136	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exeDpEditor.exe

pid	process
2756	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
2756	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
3136	DpEditor.exe
3136	DpEditor.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe

description	pid	process	target process
PID 2756 wrote to memory of 3136	2756	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe	DpEditor.exe
PID 2756 wrote to memory of 3136	2756	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe	DpEditor.exe
PID 2756 wrote to memory of 3136	2756	f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe
"C:\Users\Admin\AppData\Local\Temp\f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
c983192fb4b4f55d1d5a6bcaec5241db

SHA1
c8fae465e7e4595ab216a8efa614ad8ff87871d3

SHA256
f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8

SHA512
48d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
c983192fb4b4f55d1d5a6bcaec5241db

SHA1
c8fae465e7e4595ab216a8efa614ad8ff87871d3

SHA256
f4889a3b066fb61c8df967ceb0ef0e0157dd5a3ef65feb328e30a186a5c3c1e8

SHA512
48d559ef2e9320ee2a304c408003c3822eef98524233fbcd9b63d565b4f8c37bbbbd42a5b2f7f7cc0121579f3ab6f2e2ad76f86b215f1240e2755242e03ad57e

Download Submit
memory/2756-118-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-115-0x0000000000150000-0x000000000083A000-memory.dmp

Filesize
6.9MB

Download
memory/2756-119-0x0000000000150000-0x000000000083A000-memory.dmp

Filesize
6.9MB

Download
memory/2756-117-0x0000000000150000-0x000000000083A000-memory.dmp

Filesize
6.9MB

Download
memory/2756-116-0x0000000000150000-0x000000000083A000-memory.dmp

Filesize
6.9MB

Download
memory/3136-120-0x0000000000000000-mapping.dmp

Download
memory/3136-123-0x00000000013D0000-0x0000000001ABA000-memory.dmp

Filesize
6.9MB

Download
memory/3136-124-0x00000000013D0000-0x0000000001ABA000-memory.dmp

Filesize
6.9MB

Download
memory/3136-125-0x00000000013D0000-0x0000000001ABA000-memory.dmp

Filesize
6.9MB

Download
memory/3136-126-0x00000000013D0000-0x0000000001ABA000-memory.dmp

Filesize
6.9MB

Download
memory/3136-127-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads