3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f

General

Target

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
Size

2.7MB
MD5

23a5092fa3cbf14752251aaec42e8b57
SHA1

b5bc590b04916378f6b6aaafb0cc8e393fa9b441
SHA256

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f
SHA512

cf08c9f3d4747dd8c9b30b2e1ec27a1a7542da47890a5e212b108cc4c23338ff6d304140af69f164915695b85ff8b4f172fd168d9ec04370ce8a4a7280a6ebd4

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

DpEditor.exe

pid process

1556 DpEditor.exe

pid	process
1556	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DpEditor.exe3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe

Loads dropped DLL 1 IoCs

Processes:

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe

pid process

524 3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe

pid	process
524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/524-55-0x0000000000A20000-0x0000000001110000-memory.dmp	themida
behavioral1/memory/524-56-0x0000000000A20000-0x0000000001110000-memory.dmp	themida
behavioral1/memory/524-58-0x0000000000A20000-0x0000000001110000-memory.dmp	themida
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral1/memory/1556-62-0x00000000001C0000-0x00000000008B0000-memory.dmp	themida
behavioral1/memory/1556-63-0x00000000001C0000-0x00000000008B0000-memory.dmp	themida
behavioral1/memory/1556-64-0x00000000001C0000-0x00000000008B0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exeDpEditor.exe

pid process

524 3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
1556 DpEditor.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

1556 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exeDpEditor.exe

pid process

524 3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
1556 DpEditor.exe

pid	process
524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
1556	DpEditor.exe

pid	process
1556	DpEditor.exe

pid	process
524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
1556	DpEditor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe

description	pid	process	target process
PID 524 wrote to memory of 1556	524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe	DpEditor.exe
PID 524 wrote to memory of 1556	524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe	DpEditor.exe
PID 524 wrote to memory of 1556	524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe	DpEditor.exe
PID 524 wrote to memory of 1556	524	3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe
"C:\Users\Admin\AppData\Local\Temp\3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
23a5092fa3cbf14752251aaec42e8b57

SHA1
b5bc590b04916378f6b6aaafb0cc8e393fa9b441

SHA256
3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f

SHA512
cf08c9f3d4747dd8c9b30b2e1ec27a1a7542da47890a5e212b108cc4c23338ff6d304140af69f164915695b85ff8b4f172fd168d9ec04370ce8a4a7280a6ebd4

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
23a5092fa3cbf14752251aaec42e8b57

SHA1
b5bc590b04916378f6b6aaafb0cc8e393fa9b441

SHA256
3ceb966c86934a43bcf79bccfefe087f3aff40d8dc9fab18cbd6d8c7ad292e9f

SHA512
cf08c9f3d4747dd8c9b30b2e1ec27a1a7542da47890a5e212b108cc4c23338ff6d304140af69f164915695b85ff8b4f172fd168d9ec04370ce8a4a7280a6ebd4

Download Submit
memory/524-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/524-55-0x0000000000A20000-0x0000000001110000-memory.dmp

Filesize
6.9MB

Download
memory/524-57-0x0000000077A50000-0x0000000077A52000-memory.dmp

Filesize
8KB

Download
memory/524-56-0x0000000000A20000-0x0000000001110000-memory.dmp

Filesize
6.9MB

Download
memory/524-58-0x0000000000A20000-0x0000000001110000-memory.dmp

Filesize
6.9MB

Download
memory/1556-62-0x00000000001C0000-0x00000000008B0000-memory.dmp

Filesize
6.9MB

Download
memory/1556-63-0x00000000001C0000-0x00000000008B0000-memory.dmp

Filesize
6.9MB

Download
memory/1556-64-0x00000000001C0000-0x00000000008B0000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads