6d6ef77389142cbd7f052270f417cdb703f0872d48e4625483f252c47707e2de

General

Target

NEAS.76c625b70730c66be38715ed3d5778e0.exe
Size

2.4MB
MD5

76c625b70730c66be38715ed3d5778e0
SHA1

3184c2b9bac6f8013e211021e1ba0b54a26852a7
SHA256

6d6ef77389142cbd7f052270f417cdb703f0872d48e4625483f252c47707e2de
SHA512

62c11bbec851cc481ab4dd3f25b6354822b0792ad1353c5b2d3f2e99214938811d4645eb11a2434cfba480b484ea85067a9106e11f0cc9fcbe3de33672bc76f2
SSDEEP

49152:L3KoBQxG9i9w4QclMHG/m9FBiC1y/uUNxff0vhtAFE9P/qX/S+:L3KkQMcNQlHG/oF8aUz0vnx9C

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.76c625b70730c66be38715ed3d5778e0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pwhehon.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pwhehon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.76c625b70730c66be38715ed3d5778e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.76c625b70730c66be38715ed3d5778e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pwhehon.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	pwhehon.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2764-0-0x0000000000400000-0x0000000000A91000-memory.dmp	themida
behavioral1/files/0x00080000000120f1-9.dat	themida
behavioral1/files/0x00080000000120f1-10.dat	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.76c625b70730c66be38715ed3d5778e0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwhehon.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pwhehon.exe	NEAS.76c625b70730c66be38715ed3d5778e0.exe
File created	C:\PROGRA~3\Mozilla\mudzpnf.dll	pwhehon.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2764	NEAS.76c625b70730c66be38715ed3d5778e0.exe
3040	pwhehon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3040	2776	taskeng.exe	30
PID 2776 wrote to memory of 3040	2776	taskeng.exe	30
PID 2776 wrote to memory of 3040	2776	taskeng.exe	30
PID 2776 wrote to memory of 3040	2776	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.76c625b70730c66be38715ed3d5778e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.76c625b70730c66be38715ed3d5778e0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2764

C:\Windows\system32\taskeng.exe
taskeng.exe {2AEAB117-35CA-4733-A386-4BD88D6FF977} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\PROGRA~3\Mozilla\pwhehon.exe
  C:\PROGRA~3\Mozilla\pwhehon.exe -arzwbsb
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
2.4MB

MD5
64e7a8d94a9e5e9dba256ac60ae34e44

SHA1
928208dc4cf4a20d8a56453234dfbe86dc18cbd4

SHA256
988788360269f522170e5bc54d1713dde5c135ed586666c8147d5e102c203b95

SHA512
00d1dd0cd7483d09a8fc60279aec6a9f525f591168302c11078c5d525b053b359a1e2ba4bd805641ae6bd2def05983080bd5269f360c087977a8419db6338a3e

Download Submit
C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
2.4MB

MD5
64e7a8d94a9e5e9dba256ac60ae34e44

SHA1
928208dc4cf4a20d8a56453234dfbe86dc18cbd4

SHA256
988788360269f522170e5bc54d1713dde5c135ed586666c8147d5e102c203b95

SHA512
00d1dd0cd7483d09a8fc60279aec6a9f525f591168302c11078c5d525b053b359a1e2ba4bd805641ae6bd2def05983080bd5269f360c087977a8419db6338a3e

Download Submit
memory/2764-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-4-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2764-5-0x0000000002660000-0x00000000026BB000-memory.dmp

Filesize
364KB

Download
memory/2764-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-0-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2764-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-1-0x0000000002660000-0x00000000026BB000-memory.dmp

Filesize
364KB

Download
memory/3040-11-0x0000000001170000-0x00000000011CB000-memory.dmp

Filesize
364KB

Download
memory/3040-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-15-0x0000000001170000-0x00000000011CB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads