cp[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cp.exe
Size

5.4MB
MD5

9c3ef2fb45a79cd6b8a5f7d6e3635dee
SHA1

7a5c801a7f1453815236dfa02f990278bd1bc44e
SHA256

c2af36682e01993670f67e3da7187bc1398c391749c5e9f0dbc10b5ac9c362fc
SHA512

6e02f4da6a0486fcf859947d1784d2d0115267e67a50d99926e27f7826b095030fcfe880d4a5f0156ab47bdcd6b06d69efdaf46aa239951a304bf682adb2b1c5
SSDEEP

98304:zeE+y3jTW1nu+rmCiabfe6sIUPt83OargNgqVpbTYVgZoj47MZ5FV0ZIvY4mQj1y:i1EanbmCiabW6uV+OugNvpbXZ778hsI6

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Files

cp.exe
.exe windows:6 windows x86 arch:x86

4606041c7eb9dc2ea0c018ff25cd5fa6

Code Sign

5f:cd:5e:93:49:26:1c:94:49:b8:8b:41:24:df:50:04
Certificate

Issuer

CN=Logitech ZC-9016 USA State of Washington

Not Before

15/12/2021, 11:48

Not After

16/12/2031, 11:48

Subject

CN=Logitech ZC-9016 USA State of Washington

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:c0:07:33:f4:c7:e1:76:eb:70:58:ea:53:b5:6a:04:f0:ef:27:ca:f5:91:c6:26:1c:80:1c:f2:b7:29:92:1c
Signer

Actual PE Digest

61:c0:07:33:f4:c7:e1:76:eb:70:58:ea:53:b5:6a:04:f0:ef:27:ca:f5:91:c6:26:1c:80:1c:f2:b7:29:92:1c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

SetClipboardData

advapi32

RegSetValueExA

shell32

ShellExecuteExW

ole32

CoTaskMemFree

Sections

Size: - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.imports
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.WinZipp
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.WinZipp
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.WinZipp
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 143KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4606041c7eb9dc2ea0c018ff25cd5fa6

Code Sign

5f:cd:5e:93:49:26:1c:94:49:b8:8b:41:24:df:50:04Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

61:c0:07:33:f4:c7:e1:76:eb:70:58:ea:53:b5:6a:04:f0:ef:27:ca:f5:91:c6:26:1c:80:1c:f2:b7:29:92:1cSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

Sections

Size: - Virtual size: 162KB

Size: - Virtual size: 67KB

Size: - Virtual size: 7KB

Size: - Virtual size: 1KB

Size: - Virtual size: 9KB

.imports Size: - Virtual size: 4KB

. Size: - Virtual size: 4KB

.themida Size: - Virtual size: 3.9MB

.boot Size: - Virtual size: 2.4MB

. Size: - Virtual size: 1KB

.WinZipp Size: - Virtual size: 1.5MB

.WinZipp Size: 1024B - Virtual size: 880B

.WinZipp Size: 5.3MB - Virtual size: 5.3MB

.reloc Size: 6KB - Virtual size: 6KB

.rsrc Size: 143KB - Virtual size: 142KB

5f:cd:5e:93:49:26:1c:94:49:b8:8b:41:24:df:50:04
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

61:c0:07:33:f4:c7:e1:76:eb:70:58:ea:53:b5:6a:04:f0:ef:27:ca:f5:91:c6:26:1c:80:1c:f2:b7:29:92:1c
Signer

.imports
Size: - Virtual size: 4KB

.
Size: - Virtual size: 4KB

.themida
Size: - Virtual size: 3.9MB

.boot
Size: - Virtual size: 2.4MB

.
Size: - Virtual size: 1KB

.WinZipp
Size: - Virtual size: 1.5MB

.WinZipp
Size: 1024B - Virtual size: 880B

.WinZipp
Size: 5.3MB - Virtual size: 5.3MB

.reloc
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 143KB - Virtual size: 142KB