2d0e4d3a259a50ed3f7d1ea67be6ddf426f5b7dcacd5f494d00b78321c40d4e4

General

Target

NEAS.4974df26a9e6b84577a351703ae429a0.exe
Size

2.5MB
MD5

4974df26a9e6b84577a351703ae429a0
SHA1

148ad51f9779e67c210a8090f9ea6002366bd9fe
SHA256

2d0e4d3a259a50ed3f7d1ea67be6ddf426f5b7dcacd5f494d00b78321c40d4e4
SHA512

5e80e158af8850e575f9ca077f4538478fce0a8d1c5d746fb4e58d5ce37fecd6d79f0c97c83812c2b9ee763ac7c69291bf6c349104cb678d8b605bb6aa57d1b2
SSDEEP

49152:y4daOqAehx7x20RKuniOJqfU7F1tLYoNovTE3pzNx0FOnpe4v/68M:cP7tRtrJq88SqgnpXiH

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.4974df26a9e6b84577a351703ae429a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	suvkbwn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	suvkbwn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.4974df26a9e6b84577a351703ae429a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.4974df26a9e6b84577a351703ae429a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	suvkbwn.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	suvkbwn.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1612-0-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/1612-1-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/1612-2-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/files/0x000d000000012286-7.dat	themida
behavioral1/files/0x000d000000012286-8.dat	themida
behavioral1/memory/3008-9-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/3008-10-0x0000000000400000-0x0000000000A57000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.4974df26a9e6b84577a351703ae429a0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.4974df26a9e6b84577a351703ae429a0.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1612	NEAS.4974df26a9e6b84577a351703ae429a0.exe
3008	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3008	2268	taskeng.exe	29
PID 2268 wrote to memory of 3008	2268	taskeng.exe	29
PID 2268 wrote to memory of 3008	2268	taskeng.exe	29
PID 2268 wrote to memory of 3008	2268	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.4974df26a9e6b84577a351703ae429a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4974df26a9e6b84577a351703ae429a0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1612

C:\Windows\system32\taskeng.exe
taskeng.exe {7C7497F5-3878-41AA-8A74-C95824883CA6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
2.5MB

MD5
c57e3acd519b01bdd5e4cf73d8412c1f

SHA1
da61c166663df8f05f705a5a0b961dc61ce70852

SHA256
e23d84d2c4f36b9688b9280b71772a9165356a518cd53b1b4db64c5c2a84a6ee

SHA512
49594166569a452b43e77c754c4b16babbf2ab9b4e688ae745622d535d6c48799d1e109aa5a7e7f6ca3bc560f65b59bc69f1232e7ba1ca33a3955f8daf725e27

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
2.5MB

MD5
c57e3acd519b01bdd5e4cf73d8412c1f

SHA1
da61c166663df8f05f705a5a0b961dc61ce70852

SHA256
e23d84d2c4f36b9688b9280b71772a9165356a518cd53b1b4db64c5c2a84a6ee

SHA512
49594166569a452b43e77c754c4b16babbf2ab9b4e688ae745622d535d6c48799d1e109aa5a7e7f6ca3bc560f65b59bc69f1232e7ba1ca33a3955f8daf725e27

Download Submit
memory/1612-3-0x0000000000A60000-0x0000000000ABC000-memory.dmp

Filesize
368KB

Download
memory/1612-0-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1612-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1612-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1612-2-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/1612-1-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3008-9-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3008-10-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3008-11-0x0000000000A60000-0x0000000000ABC000-memory.dmp

Filesize
368KB

Download
memory/3008-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-14-0x0000000000A60000-0x0000000000ABC000-memory.dmp

Filesize
368KB

Download
memory/3008-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads