067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65

General

Target

luzhou.exe
Size

2.7MB
MD5

3ae6147ee830216aa9e60610a5a46409
SHA1

e56fe77b928782d7de59323a1d2543059f820a30
SHA256

067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65
SHA512

c256d66f909dd75322890d4b21b86559f04f877768994e011b9e0030c57a9d72637799f291da8a7e67aa71aecd4faf5fb02c76a97a6fcbbbef680b3489b3d2c4

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

DpEditor.exe

pid process

2312 DpEditor.exe

pid	process
2312	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

luzhou.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	luzhou.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	luzhou.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1052-115-0x0000000000DF0000-0x00000000014E3000-memory.dmp	themida
behavioral2/memory/1052-117-0x0000000000DF0000-0x00000000014E3000-memory.dmp	themida
behavioral2/memory/1052-118-0x0000000000DF0000-0x00000000014E3000-memory.dmp	themida
behavioral2/memory/1052-119-0x0000000000DF0000-0x00000000014E3000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/2312-123-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral2/memory/2312-124-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral2/memory/2312-126-0x00000000000A0000-0x0000000000793000-memory.dmp	themida
behavioral2/memory/2312-127-0x00000000000A0000-0x0000000000793000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

luzhou.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	luzhou.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

luzhou.exeDpEditor.exe

pid process

1052 luzhou.exe
2312 DpEditor.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

2312 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

luzhou.exeDpEditor.exe

pid process

1052 luzhou.exe
1052 luzhou.exe
2312 DpEditor.exe
2312 DpEditor.exe

pid	process
1052	luzhou.exe
2312	DpEditor.exe

pid	process
2312	DpEditor.exe

pid	process
1052	luzhou.exe
1052	luzhou.exe
2312	DpEditor.exe
2312	DpEditor.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

luzhou.exe

description	pid	process	target process
PID 1052 wrote to memory of 2312	1052	luzhou.exe	DpEditor.exe
PID 1052 wrote to memory of 2312	1052	luzhou.exe	DpEditor.exe
PID 1052 wrote to memory of 2312	1052	luzhou.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\luzhou.exe
"C:\Users\Admin\AppData\Local\Temp\luzhou.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
  "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
3ae6147ee830216aa9e60610a5a46409

SHA1
e56fe77b928782d7de59323a1d2543059f820a30

SHA256
067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65

SHA512
c256d66f909dd75322890d4b21b86559f04f877768994e011b9e0030c57a9d72637799f291da8a7e67aa71aecd4faf5fb02c76a97a6fcbbbef680b3489b3d2c4

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
3ae6147ee830216aa9e60610a5a46409

SHA1
e56fe77b928782d7de59323a1d2543059f820a30

SHA256
067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65

SHA512
c256d66f909dd75322890d4b21b86559f04f877768994e011b9e0030c57a9d72637799f291da8a7e67aa71aecd4faf5fb02c76a97a6fcbbbef680b3489b3d2c4

Download Submit
memory/1052-115-0x0000000000DF0000-0x00000000014E3000-memory.dmp

Filesize
6.9MB

Download
memory/1052-117-0x0000000000DF0000-0x00000000014E3000-memory.dmp

Filesize
6.9MB

Download
memory/1052-118-0x0000000000DF0000-0x00000000014E3000-memory.dmp

Filesize
6.9MB

Download
memory/1052-119-0x0000000000DF0000-0x00000000014E3000-memory.dmp

Filesize
6.9MB

Download
memory/1052-116-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/2312-120-0x0000000000000000-mapping.dmp

Download
memory/2312-123-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/2312-124-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/2312-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/2312-126-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download
memory/2312-127-0x00000000000A0000-0x0000000000793000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads