82d3a386dbed3450612df8267523f204a823c6809401da6fe16441340573dda3

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Size

3.2MB
MD5

7866cd3f054d877ecf187047d5e4d340
SHA1

1fbbe17f21389c03a50dda5d25caf62bae05da3a
SHA256

82d3a386dbed3450612df8267523f204a823c6809401da6fe16441340573dda3
SHA512

46a4673891ffbe8785722dbae44e4bdfe22526c78ecaccb5b1f9fed63331377b0da0ea1ea3d3533247a87e82ee333dbe8ce203a81af84fb137a129ece0a82878
SSDEEP

98304:Lnob5A1YqdCPpnvOVrt8pppcqqRklqJSCTS3x:3VUPpnvOX8pbWeIhT2

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Wine	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1992	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\LocalServer32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ProxyStubClsid32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\0	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\0\win32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib\Version = "1.0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib\Version = "1.0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib\Version = "1.0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\FLAGS\ = "0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\ProgID\ = "Orion.CoreAuto"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\TypeLib	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ = "ICoreAuto"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ProxyStubClsid32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ = "IEvCoreAuto"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib\ = "{30EB0008-5407-11D4-0000-00601C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Orion.CoreAuto	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.7866cd3f054d877ecf187047d5e4d340.exe"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ = "ICoreAuto"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.7866cd3f054d877ecf187047d5e4d340.exe"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib\ = "{30EB0008-5407-11D4-0000-00601C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\Version\ = "1.0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\TypeLib\ = "{30EB0008-5407-11D4-0000-00601C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\HELPDIR	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\ = "Orion Library"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Orion.CoreAuto\ = "CoreAuto Object"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Orion.CoreAuto\Clsid	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib\ = "{30EB0008-5407-11D4-0000-00601C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30EB0008-5407-11D4-0000-00601C031E8C}\1.0\FLAGS	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib\ = "{30EB0008-5407-11D4-0000-00601C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\TypeLib\Version = "1.0"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\ = "CoreAuto Object"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\ProgID	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\TypeLib	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30EB1843-5407-11D4-AA1C-00001C031E8C}\Version	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30EB1841-5407-11D4-AA1C-00001C031E8C}\ProxyStubClsid32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ProxyStubClsid32	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Orion.CoreAuto\Clsid\ = "{30EB1843-5407-11D4-AA1C-00001C031E8C}"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD5CC8BA-B327-4293-92F2-BD89702FC0DE}\ = "IEvCoreAuto"	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	NEAS.7866cd3f054d877ecf187047d5e4d340.exe
1992	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1992	NEAS.7866cd3f054d877ecf187047d5e4d340.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7866cd3f054d877ecf187047d5e4d340.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7866cd3f054d877ecf187047d5e4d340.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-1-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/1992-2-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-4-0x000000000AA10000-0x000000000AA11000-memory.dmp

Filesize
4KB

Download
memory/1992-8-0x000000000AA50000-0x000000000AA51000-memory.dmp

Filesize
4KB

Download
memory/1992-9-0x000000000AAB0000-0x000000000AAB1000-memory.dmp

Filesize
4KB

Download
memory/1992-10-0x000000000AAE0000-0x000000000AAE1000-memory.dmp

Filesize
4KB

Download
memory/1992-14-0x000000000AA60000-0x000000000AA61000-memory.dmp

Filesize
4KB

Download
memory/1992-13-0x000000000AB70000-0x000000000AB71000-memory.dmp

Filesize
4KB

Download
memory/1992-17-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1992-18-0x000000000AAC0000-0x000000000AAC1000-memory.dmp

Filesize
4KB

Download
memory/1992-19-0x000000000ABB0000-0x000000000ABB1000-memory.dmp

Filesize
4KB

Download
memory/1992-16-0x000000000ABC0000-0x000000000ABC1000-memory.dmp

Filesize
4KB

Download
memory/1992-15-0x000000000AB30000-0x000000000AB31000-memory.dmp

Filesize
4KB

Download
memory/1992-12-0x000000000AA70000-0x000000000AA71000-memory.dmp

Filesize
4KB

Download
memory/1992-11-0x000000000AAD0000-0x000000000AAD1000-memory.dmp

Filesize
4KB

Download
memory/1992-7-0x000000000AA20000-0x000000000AA21000-memory.dmp

Filesize
4KB

Download
memory/1992-6-0x000000000A9C0000-0x000000000A9C1000-memory.dmp

Filesize
4KB

Download
memory/1992-5-0x000000000A9D0000-0x000000000A9D2000-memory.dmp

Filesize
8KB

Download
memory/1992-3-0x000000000AA30000-0x000000000AA31000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x000000000AB40000-0x000000000AB41000-memory.dmp

Filesize
4KB

Download
memory/1992-21-0x000000000AA40000-0x000000000AA41000-memory.dmp

Filesize
4KB

Download
memory/1992-23-0x000000000ADE0000-0x000000000ADE2000-memory.dmp

Filesize
8KB

Download
memory/1992-24-0x000000000ADC0000-0x000000000ADC2000-memory.dmp

Filesize
8KB

Download
memory/1992-22-0x000000000AAA0000-0x000000000AAA1000-memory.dmp

Filesize
4KB

Download
memory/1992-26-0x000000000AB50000-0x000000000AB51000-memory.dmp

Filesize
4KB

Download
memory/1992-25-0x000000000AB60000-0x000000000AB61000-memory.dmp

Filesize
4KB

Download
memory/1992-30-0x000000000A9E0000-0x000000000A9E1000-memory.dmp

Filesize
4KB

Download
memory/1992-29-0x000000000AA00000-0x000000000AA01000-memory.dmp

Filesize
4KB

Download
memory/1992-31-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-32-0x000000000ABA0000-0x000000000ABA1000-memory.dmp

Filesize
4KB

Download
memory/1992-33-0x000000000AB80000-0x000000000AB81000-memory.dmp

Filesize
4KB

Download
memory/1992-34-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1992-35-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-36-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-37-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-38-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-39-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-40-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-42-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-43-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-44-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-45-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-46-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-47-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-48-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download
memory/1992-49-0x0000000000400000-0x0000000000BD3000-memory.dmp

Filesize
7.8MB

Download