e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359

General

Target

25d69c5f67b09e17dd21e832956b43c8.exe
Size

2.7MB
MD5

25d69c5f67b09e17dd21e832956b43c8
SHA1

fef354161268d73eb8be8f93d63f2241567df06a
SHA256

e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359
SHA512

4970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

DpEditor.exe

pid process

1084 DpEditor.exe

pid	process
1084	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DpEditor.exe25d69c5f67b09e17dd21e832956b43c8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	25d69c5f67b09e17dd21e832956b43c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	25d69c5f67b09e17dd21e832956b43c8.exe

Loads dropped DLL 1 IoCs

Processes:

25d69c5f67b09e17dd21e832956b43c8.exe

pid process

1584 25d69c5f67b09e17dd21e832956b43c8.exe

pid	process
1584	25d69c5f67b09e17dd21e832956b43c8.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1584-55-0x00000000012C0000-0x00000000019AD000-memory.dmp	themida
behavioral1/memory/1584-56-0x00000000012C0000-0x00000000019AD000-memory.dmp	themida
behavioral1/memory/1584-57-0x00000000012C0000-0x00000000019AD000-memory.dmp	themida
behavioral1/memory/1584-58-0x00000000012C0000-0x00000000019AD000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1084-63-0x0000000000120000-0x000000000080D000-memory.dmp	themida
behavioral1/memory/1084-64-0x0000000000120000-0x000000000080D000-memory.dmp	themida
behavioral1/memory/1084-66-0x0000000000120000-0x000000000080D000-memory.dmp	themida
behavioral1/memory/1084-65-0x0000000000120000-0x000000000080D000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25d69c5f67b09e17dd21e832956b43c8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exe

pid process

1584 25d69c5f67b09e17dd21e832956b43c8.exe
1084 DpEditor.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1084 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

25d69c5f67b09e17dd21e832956b43c8.exeDpEditor.exe

pid process

1584 25d69c5f67b09e17dd21e832956b43c8.exe
1084 DpEditor.exe

pid	process
1584	25d69c5f67b09e17dd21e832956b43c8.exe
1084	DpEditor.exe

pid	process
1084	DpEditor.exe

pid	process
1584	25d69c5f67b09e17dd21e832956b43c8.exe
1084	DpEditor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25d69c5f67b09e17dd21e832956b43c8.exe

description	pid	process	target process
PID 1584 wrote to memory of 1084	1584	25d69c5f67b09e17dd21e832956b43c8.exe	DpEditor.exe
PID 1584 wrote to memory of 1084	1584	25d69c5f67b09e17dd21e832956b43c8.exe	DpEditor.exe
PID 1584 wrote to memory of 1084	1584	25d69c5f67b09e17dd21e832956b43c8.exe	DpEditor.exe
PID 1584 wrote to memory of 1084	1584	25d69c5f67b09e17dd21e832956b43c8.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\25d69c5f67b09e17dd21e832956b43c8.exe
"C:\Users\Admin\AppData\Local\Temp\25d69c5f67b09e17dd21e832956b43c8.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
25d69c5f67b09e17dd21e832956b43c8

SHA1
fef354161268d73eb8be8f93d63f2241567df06a

SHA256
e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359

SHA512
4970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
25d69c5f67b09e17dd21e832956b43c8

SHA1
fef354161268d73eb8be8f93d63f2241567df06a

SHA256
e614c86dd4d0100b14e064cdbb3931d86c0393dac8ae153074bb911138722359

SHA512
4970f41cdb2cf25d765251a29f1bbf9b866ca4223e126ce8e784b855dd88ef5bf4451748d23364ca860a4c07871ae76bfeeddd0d4589cabe1d6f1575011cda00

Download Submit
memory/1084-60-0x0000000000000000-mapping.dmp

Download
memory/1084-63-0x0000000000120000-0x000000000080D000-memory.dmp

Filesize
6.9MB

Download
memory/1084-64-0x0000000000120000-0x000000000080D000-memory.dmp

Filesize
6.9MB

Download
memory/1084-66-0x0000000000120000-0x000000000080D000-memory.dmp

Filesize
6.9MB

Download
memory/1084-65-0x0000000000120000-0x000000000080D000-memory.dmp

Filesize
6.9MB

Download
memory/1584-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x00000000012C0000-0x00000000019AD000-memory.dmp

Filesize
6.9MB

Download
memory/1584-56-0x00000000012C0000-0x00000000019AD000-memory.dmp

Filesize
6.9MB

Download
memory/1584-57-0x00000000012C0000-0x00000000019AD000-memory.dmp

Filesize
6.9MB

Download
memory/1584-58-0x00000000012C0000-0x00000000019AD000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads