Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
08/10/2023, 17:26
General
-
Target
NEAS.5076458cf59ac0f6f91ab437d401aafd094eb416a1ed02f255df1918b22cea50_JC.exe
-
Size
7.1MB
-
MD5
35d8de1dc16f3e35821214526ea80a8c
-
SHA1
8b0432b21bacf7e30d4004f15125ae50f9e55d4f
-
SHA256
5076458cf59ac0f6f91ab437d401aafd094eb416a1ed02f255df1918b22cea50
-
SHA512
f61ac2b811380a19a4de0839773f50536a920ec7569ed40053498e0fc5406142625eb795d9eeb5cd551d8533eccfa71671a2f48c874ebb41c14bbfe6406c90c0
-
SSDEEP
196608:yBGdmm83FGiLz/SsWv6hjLWn9jMaRvqpvATML:yRtLzHo6hSn5Mbvo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: RenamesItself 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5076458cf59ac0f6f91ab437d401aafd094eb416a1ed02f255df1918b22cea50_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5076458cf59ac0f6f91ab437d401aafd094eb416a1ed02f255df1918b22cea50_JC.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\BinGo\pwaapgsu.exe"C:\Users\Admin\Documents\BinGo\pwaapgsu.exe" rest2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4cc 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1347dfa9bb8d3bee2347af131cab939
SHA15046fa047c728982d103353ff135215143955bb8
SHA2565967799cae4caefd995ebb3b8acb82c57d9e9cf4a71751c70e1d75bf62a75753
SHA512481f5cc0ab17d082e02e5161b401036448ba19072d8b80848b69e99b24f9afba7e05ce94116527c01cf8a4029f1e9fd506133685e152adbf91a757beaa8c3be5
-
Filesize
1.1MB
-
Filesize
12.9MB
-
Filesize
12.9MB
-
Filesize
12.9MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
12.9MB
-
Filesize
12.9MB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
256KB
-
Filesize
1024KB
-
Filesize
1.1MB
-
Filesize
12.9MB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
12.9MB
-
Filesize
256KB
-
Filesize
12.9MB
-
Filesize
1024KB
-
Filesize
12.9MB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
1024KB
-
Filesize
1024KB