0e5788cdbb66a84053909c36fe68630f93f8a5dce4a4823afa47562f4eebb053

General

Target

NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
Size

2.5MB
MD5

c4d8c9b20b79d331b8f5c5aca429e0d0
SHA1

6884aca1f28e29a42e6958c1ad475da96a15f75c
SHA256

0e5788cdbb66a84053909c36fe68630f93f8a5dce4a4823afa47562f4eebb053
SHA512

a49cd8a51c88106216041a9e26d9a15fb4f35b8538a43fdf0fb849dd6f48f1830aacb33a55296fa95a54bd4bdefd3844e7b0b1b1b15f091b0dd651c3d2231102
SSDEEP

49152:5II09ihEkGCJB//jOsO2/hCRiAyZNwb1+pi9hMaL1CdYlzTmjr:kl2BhpoiASwb1Gi9hpL1CdGWv

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dhuqaed.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dhuqaed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dhuqaed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	dhuqaed.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000400000-0x0000000000A60000-memory.dmp	themida
behavioral1/memory/2304-1-0x0000000000400000-0x0000000000A60000-memory.dmp	themida
behavioral1/memory/2304-2-0x0000000000400000-0x0000000000A60000-memory.dmp	themida
behavioral1/files/0x000700000001210b-8.dat	themida
behavioral1/files/0x000700000001210b-9.dat	themida
behavioral1/memory/2688-10-0x0000000000400000-0x0000000000A60000-memory.dmp	themida
behavioral1/memory/2688-11-0x0000000000400000-0x0000000000A60000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dhuqaed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\dhuqaed.exe	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
File created	C:\PROGRA~3\Mozilla\fjgblbm.dll	dhuqaed.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2304	NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
2688	dhuqaed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2688	2652	taskeng.exe	29
PID 2652 wrote to memory of 2688	2652	taskeng.exe	29
PID 2652 wrote to memory of 2688	2652	taskeng.exe	29
PID 2652 wrote to memory of 2688	2652	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c4d8c9b20b79d331b8f5c5aca429e0d0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2304

C:\Windows\system32\taskeng.exe
taskeng.exe {37EDC350-0D08-4AD1-B9AC-4CBE3D581C71} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\PROGRA~3\Mozilla\dhuqaed.exe
  C:\PROGRA~3\Mozilla\dhuqaed.exe -vpwggce
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
2.5MB

MD5
1e68d480a3cd2c4a8cc1bad3db1f7a1b

SHA1
0a3a76f6d96eed7cfd15ac826dd6cf4e0bf834e3

SHA256
11a81348cf1b76059be695c304b5428d4d770607947ea8d6c54be165e19377a2

SHA512
1ebf0f96af67a976e86b10f45f8849477ad29ccca39b6f50c2f0b12944fcaf364ea696d3e13645772cad2a028abad8914f8cfe2aae6efb101122157f766d85c9

Download Submit
C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
2.5MB

MD5
1e68d480a3cd2c4a8cc1bad3db1f7a1b

SHA1
0a3a76f6d96eed7cfd15ac826dd6cf4e0bf834e3

SHA256
11a81348cf1b76059be695c304b5428d4d770607947ea8d6c54be165e19377a2

SHA512
1ebf0f96af67a976e86b10f45f8849477ad29ccca39b6f50c2f0b12944fcaf364ea696d3e13645772cad2a028abad8914f8cfe2aae6efb101122157f766d85c9

Download Submit
memory/2304-7-0x0000000000AD0000-0x0000000000B2C000-memory.dmp

Filesize
368KB

Download
memory/2304-3-0x0000000000AD0000-0x0000000000B2C000-memory.dmp

Filesize
368KB

Download
memory/2304-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-0-0x0000000000400000-0x0000000000A60000-memory.dmp

Filesize
6.4MB

Download
memory/2304-2-0x0000000000400000-0x0000000000A60000-memory.dmp

Filesize
6.4MB

Download
memory/2304-1-0x0000000000400000-0x0000000000A60000-memory.dmp

Filesize
6.4MB

Download
memory/2688-10-0x0000000000400000-0x0000000000A60000-memory.dmp

Filesize
6.4MB

Download
memory/2688-11-0x0000000000400000-0x0000000000A60000-memory.dmp

Filesize
6.4MB

Download
memory/2688-12-0x0000000000260000-0x00000000002BC000-memory.dmp

Filesize
368KB

Download
memory/2688-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-16-0x0000000000260000-0x00000000002BC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads