00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59

Analysis

max time kernel
4s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
Size

14.3MB
MD5

8ef72af893e61f61fa3813627c444a2d
SHA1

6f842049f803d49be1f1d2f6dd263380bf85fe0e
SHA256

00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59
SHA512

86294018c998a2b11503ac8645d6b270016d9e703a0a780a4544f2deecee5c505559f371aa40290f58808bb9a714feaa44f26c5ba12026c18ea8cbc40fccf898
SSDEEP

393216:sObVsTKckqLk4OEbeMbppEvlXqn5HBHGRXNe:vbKgqwEbecpIKdgg

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Wine	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/468-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/468-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
468	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
468	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
468	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
468	NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.00e3d10e003f9f9abde9a4403e31543ad2cb48a2149066b45771fc2c03030e59_JC.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-0-0x0000000000400000-0x0000000001679000-memory.dmp

Filesize
18.5MB

Download
memory/468-1-0x0000000077944000-0x0000000077946000-memory.dmp

Filesize
8KB

Download
memory/468-2-0x0000000000400000-0x0000000001679000-memory.dmp

Filesize
18.5MB

Download
memory/468-4-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/468-5-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/468-3-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/468-6-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/468-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-8-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/468-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-10-0x00000000057A0000-0x00000000057A2000-memory.dmp

Filesize
8KB

Download
memory/468-12-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/468-14-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/468-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-16-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/468-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-19-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/468-21-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/468-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-23-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/468-27-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/468-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-31-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/468-35-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/468-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-37-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/468-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-39-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/468-33-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/468-29-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/468-25-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/468-17-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/468-42-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/468-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-61-0x0000000000400000-0x0000000001679000-memory.dmp

Filesize
18.5MB

Download
memory/468-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/468-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download