Overview

overview

9

Static

static

7

NeptnExternalFree.exe

windows7-x64

9

NeptnExternalFree.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24-03-2023 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeptnExternalFree.exe

  • Size

    3.4MB

  • MD5

    bbedbbb87552cceb179e196588684cbc

  • SHA1

    d1b7d2834140f503d7a7b92df30fadece473c29c

  • SHA256

    b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08

  • SHA512

    1e65d28aad644fc791a01eb55d3dc53d6f5c63c5fb5c9e52c96c384b5109499364a0ca433e09383972419b02e53662f15f9d238c4313aeb6842a4057be9429f3

  • SSDEEP

    98304:i1NGlQS2DA5FlCPfvJj2wmfXWjY9sz985D:i1N+QXAHlohyP/WsA98B

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe
    "C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF6
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/xCRS6yyPF6
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:572
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2028 -s 132
      2⤵
      • Program crash
      PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9d6d3883cad28b1016d06bbaf6ff33eb

    SHA1

    dd9292702fdd363bff926d058691be485ebbd243

    SHA256

    7757beb205d3767647b41135522c49bc7bd4b9266bcdf8d7b19c48aac476764b

    SHA512

    5d989da4798fe4db8ee67f1dd6d80d1ea10c9fcdc21f5bfe874fec492cf770caead0d23cb992ed35366ad071122bd372b90c4d8d58adaa7c311eac2391076214

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    07718bff190253f7b60cbecf4357c12d

    SHA1

    52115e28c5fbc0f061f6d61ca307f38511b054e6

    SHA256

    a5fa7627997c52bb52e74db1a64a6398688e24771b423165964362c1cb39ec85

    SHA512

    0581b0507e02fa54d84a645f94ef8ff9089eba1c880fc4e2811e6d3b8e05bb5584c1f357b0a37460efabae9ff5b581d3686b74e3a913bf62158f5b875d26cd55

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    f7db0a97d28035a54043d34fb2a54cdd

    SHA1

    18ee0bb56453915a7766472f59836e9548a186e7

    SHA256

    5081226a5c52bc07c66b0b9fb38cd51be258191e96e4cd5c90f90e6f204dbd10

    SHA512

    176083401e344b484059ab25c0712263f6cc681622db5ea5fccd3b3663f49147cb12a1dabd687ff787529f5815ce2996da5911d62de1731ae83a564e161a76c4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    dae42e881062180b7b307995f6d7a8c2

    SHA1

    35fa86c3bb93b7cf026538e737659fef5b4f59bf

    SHA256

    c88bb008bcd9f134e9f7c0f85fdea3b7a95b1f47638f9db01ef6c893fc3e1bca

    SHA512

    8a526765935d89d4720b90b1153fbcc9a0a23b3ebc50f75dad021fa893102417a2a21c26781d2489942ae1a9304d4373d649a608d7fffbca2115864ecca2156c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    36deb7bc4badd19959738ab2d562cc75

    SHA1

    1829ad7639be8f8d87865f463928d2d81ed4a148

    SHA256

    23f0e234f0cb46900efc15e9630eabd7881e2a279f3d129a94b7bc3fd827b696

    SHA512

    1101aac7aac76f2c2db2c6afaf0f01d1c99efcf9fce5f21acc2b2df4968ad4b66c63eaa3604478855c2e7ddd6505798e273d270c85f336bad14f8c4b75fe263f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    174a5a11d9e04acbbf169e1de0f85b33

    SHA1

    eeba2efcac859e642c7a035c45deeb5c3caa20e6

    SHA256

    ec274d7beb4f09669ff7ecaa1b8044f03e57a20738e1fa17c21ad8d613457d44

    SHA512

    ef7ca6e7531dca76425a8a9b17cc3716b98a2768666939c1091fa4756ec26efd03b27ec8aff518071de583d723da14431fe96485fdcad5193f922eea1039f264

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    d9dd8bd4bffa87e13ea34af94c880559

    SHA1

    4b39c71e5e69b60fde8565e2cca1a1b5b72af96c

    SHA256

    d25af4076138ef9c32d0e7c2f09f6affc283e9b0999fafb1fa3d6a2617afa151

    SHA512

    992c1dda5005ab8f1f91f800d555469d88cbe1a3870562a0e38c19de566450b893f7b7109f1186550db534ec9586a8e39c1f71ddc2e7919cc6b6e9793d7f46e5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    7a82b4ff40d73b635fae36f94f3af9fc

    SHA1

    3bd70a37e16e59916069faf20121e3a66e9c578b

    SHA256

    6faf7d24f46bdd4b83d9e2a0ed4ad97915f51b5284efc10728472a6e3a402692

    SHA512

    fc6f48a81ae9af0a96cc300c2ebc66782645d81ae76a0c24aed2bdb7995ea69c78bd2e7612d75756475efa2dee72f6b1a99e979d870557f8a3ff8dc5e340688f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    36dd399d2cbafd782b5567a9ee4c9724

    SHA1

    db4f24c4b2d6780c0cb2e9a6405d40e2a75ef52f

    SHA256

    84fb119132e7bf392ff313ea0ff1f01db841009a83dba128b270f18a528638ef

    SHA512

    06985f96b20349f94c5cbac0544c68fd4587c854b6a5f98c3cff974e2fd87cebd35b9cfd5fc85698840578b9c1005e73a4c606f4f790d5a1fff6583f67a83f67

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p734dsx\imagestore.dat
    Filesize

    28KB

    MD5

    4f1d17b54f5f76e6381677afe53111e4

    SHA1

    9cab697436bdbffede5408885eb4bcf13e7693e2

    SHA256

    66be396d47dd65262d2d4511d20d28d50ec1fe848d52d796327391b65a360601

    SHA512

    e166dc48ff355a37ef9fff75f99f1af39bf691a4ab88ec430ae339b11836a5edaac202a69f76c6bca74c656bd6afb2223aa93f307ae00a1ab401553f2e800b41

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\ec2c34cadd4b5f4594415127380a85e6[1].ico
    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab73EC.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar73ED.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar752B.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit
  • memory/2028-57-0x000000013F480000-0x000000013FD99000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/2028-54-0x000000013F480000-0x000000013FD99000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/2028-55-0x000000013F480000-0x000000013FD99000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/2028-56-0x000000013F480000-0x000000013FD99000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/2028-68-0x0000000001B30000-0x0000000001B31000-memory.dmp
    Filesize

    4KB

    Download