Overview
overview
10Static
static
3Themida.exe
windows10-2004-x64
10Themida64.exe
windows10-2004-x64
10ThemidaHelp.chm
windows10-2004-x64
1ThemidaSDK...in.xml
windows10-2004-x64
1ThemidaSDK...in.dll
windows10-2004-x64
3ThemidaSDK...t1.xml
windows10-2004-x64
1ThemidaSDK...ct1.js
windows10-2004-x64
1ThemidaSDK...e.html
windows10-2004-x64
1ThemidaSDK...le.xml
windows10-2004-x64
1ThemidaSDK...10.xml
windows10-2004-x64
1ThemidaSDK...llo.js
windows10-2004-x64
1ThemidaSDK...t1.xml
windows10-2004-x64
1ThemidaSDK...ct1.js
windows10-2004-x64
1ThemidaSDK...le.xml
windows10-2004-x64
1ThemidaSDK...llo.js
windows10-2004-x64
1ThemidaSDK...pt.exe
windows10-2004-x64
1ThemidaSDK...on.pdf
windows10-2004-x64
1ThemidaSDK...32.dll
windows10-2004-x64
1ThemidaSDK...64.dll
windows10-2004-x64
1WinlicenseSDK.dll
windows10-2004-x64
3demangler.dll
windows10-2004-x64
3libspv.dll
windows10-2004-x64
1vcomp140.dll
windows10-2004-x64
3Analysis
-
max time kernel
58s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2023, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
Themida.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Themida64.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ThemidaHelp.chm
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
ThemidaSDK/ExamplesSDK/Plugins/Examples/C/TestPlugin/TestPlugin.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ThemidaSDK/ExamplesSDK/Plugins/Examples/Delphi/TestPlugin.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.js
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.html
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.vcproj.7.10.xml
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/Rust/hello.js
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.js
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ThemidaSDK/ExamplesSDK/Protection Macros/C/Visual C++(via ASM module)/vc_example.xml
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ThemidaSDK/ExamplesSDK/Protection Macros/Rust/hello.js
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ThemidaSDK/ExamplesSDK/Protection Macros/Visual Basic/Vb6NoOpt.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ThemidaSDK/Include/C/Via ASM module/How to add ASM files in your Solution.pdf
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ThemidaSDK/SecureEngineSDK32.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ThemidaSDK/SecureEngineSDK64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
WinlicenseSDK.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
demangler.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
libspv.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
vcomp140.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
ThemidaSDK/ExamplesSDK/Plugins/Examples/C/TestPlugin/TestPlugin.xml
-
Size
7KB
-
MD5
61a5e554c6496e41c4300f5fd5078e4c
-
SHA1
0ac60568eae3ce594b1c9b430440a6ae3f046a59
-
SHA256
afd5ecde10cd874cd8e82cc837014768c1db3ee68b8de402e05fa31cf86b2597
-
SHA512
8576e334a1e2f7ffa82e0ebb3559916cda94d6e6e4b2114a16f6568345db2ff28bfa392914ca4470b8b310e679342593d35ccd2efb29809d444b36dea36c2763
-
SSDEEP
96:tpmzwaGS66LzCa9Nt6gz9a9Sd6AzRa9Nk6ottAipfwpfnpfRp56AebI4:tuw+tCWJ9RHRW9iFwFnFRyAO
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3053011544" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3053011544" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e16b6e2117bc0419036d1c856aab2b500000000020000000000106600000001000020000000fe4eab4abc3084a97d715bc7d42f00370b5d5294b3a83bcd5f208c4355028745000000000e800000000200002000000090ccef203752bdba55069b4cd63fdc79b887af7283e0ce6fb1f1b7eee74c675c200000001d7abc5478133ada4113b6941e2ba5fcf4918e833afb9fcd83649967b0ec062b400000005e4ff9d4444686a292ac2d9ccc784ac5d56f757814a269bf7ba1e382f9fa1a35f2ff4f152b913f58b2de22ff30f1b49edf6f99652cde133727bb237b6dabce68 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31035088" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3071762372" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035088" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808f15b9d08ed901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035088" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e16b6e2117bc0419036d1c856aab2b5000000000200000000001066000000010000200000007f8927beb6374c1b145a9af6b0781cc12bc9444f46ec8eebe0778ca44c375539000000000e800000000200002000000016ba918b01a8435e427bb4e45f10e1d53f26b51726b11f2089573ef4db28960d200000008a718deabf3c3d1f43779cd5b83e152a33533003f58581e02a550251483e2bf240000000d6b68de220ee464fde5a580340da1156e0984c2b3f57cd852e66cc219e45569350991751e66bd44c9925b935c005c0bc7183934b14817f72dab186d26e30d470 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E0E1A98F-FAC3-11ED-8FFF-6E21A4042E2D} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ec2ab9d08ed901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2836 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2836 iexplore.exe 2836 iexplore.exe 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4596 wrote to memory of 2836 4596 MSOXMLED.EXE 82 PID 4596 wrote to memory of 2836 4596 MSOXMLED.EXE 82 PID 2836 wrote to memory of 1876 2836 iexplore.exe 84 PID 2836 wrote to memory of 1876 2836 iexplore.exe 84 PID 2836 wrote to memory of 1876 2836 iexplore.exe 84
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\TestPlugin\TestPlugin.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\TestPlugin\TestPlugin.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD53fbb8ee33354096d9f116c557a402d14
SHA1f75756c42d45d1047eb04fa54bd7702f5560df4b
SHA25613e2696561dd0955e1d61f7e18166c8bd7a02faf1dbfe04e738b5d68cc2ca57e
SHA512cc21e56f9278282b3c15964b5618d42bdfda83b245d7bf01d12550aabd69a9747d1deaa5a9a9830e6d6a47465f580e21e0a7621cf992b56244ad4bee8779c338
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e7d19cba0fa40a9cdf9eb0f2ec39df20
SHA1e8b4b9aa5b1fc571bacbb553c814f332dd517ba5
SHA256bba6c96304ca4f426d0c3b289e7d0f4e73758337cbce88b033d260c8eb20201e
SHA512d4082ab8312d80982bf72243e304265430855632c2ed3e8fe58a17bbb60fdb3129c1d909bc14ec5485ef2e6279d397ed35fc5e31cb3535848f9dbb6bb64e4dab