Overview

overview

9

Static

static

7

NEAS.61ab9...f0.exe

windows7-x64

9

NEAS.61ab9...f0.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2023 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.61ab9d4f3a5493ce8f2959a6eea1bff0.exe

  • Size

    2.6MB

  • MD5

    61ab9d4f3a5493ce8f2959a6eea1bff0

  • SHA1

    d31ca633dafd80e0e603ab3cb84cdc3c3d1d852c

  • SHA256

    c70072a79ee4f1793dd6ee13624178c7dbc8c085a99715a2e19f89e59e83d2b3

  • SHA512

    a1a50232bb98a03835f1c4d5138c792a069ba8ce408e5d3194ad6cdc1389b939d2b0fc5b3cdadcd6fbf4ec62a08ea1c9a2bb4b43982bbffead01847bc942fd9a

  • SSDEEP

    49152:kr+2uK5YdMOMRhPtlRmTIIpMKo+GervVPMrG801uHBPbwwvRsfQ:kr/vDRd1BrGMHVqQ

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.61ab9d4f3a5493ce8f2959a6eea1bff0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.61ab9d4f3a5493ce8f2959a6eea1bff0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    PID:2152
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {87DF26BC-E42B-4D36-AE10-9E946C971626} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\PROGRA~3\Mozilla\ajahmjj.exe
      C:\PROGRA~3\Mozilla\ajahmjj.exe -mngyzad
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\Mozilla\ajahmjj.exe
    Filesize

    2.6MB

    MD5

    a529473537f4d09e32a89fbfa919f497

    SHA1

    a80fe07c6e70c97cb2c1d0275eb17f7f92377cd1

    SHA256

    04a5d7b6e49bc726bdaeed2ed179ec9b5bda1b0cf4bee8c995b7867d74c3fdf0

    SHA512

    294b131c5d45f5779f01ef7ae1d26bdff907eb9ae9a368c6b3b66693ee234cfd2e844c5278c1bb3724031738965cf24b5899d5022e5b740f8fc793a03540577c

    Download Submit

  • C:\PROGRA~3\Mozilla\ajahmjj.exe
    Filesize

    2.6MB

    MD5

    a529473537f4d09e32a89fbfa919f497

    SHA1

    a80fe07c6e70c97cb2c1d0275eb17f7f92377cd1

    SHA256

    04a5d7b6e49bc726bdaeed2ed179ec9b5bda1b0cf4bee8c995b7867d74c3fdf0

    SHA512

    294b131c5d45f5779f01ef7ae1d26bdff907eb9ae9a368c6b3b66693ee234cfd2e844c5278c1bb3724031738965cf24b5899d5022e5b740f8fc793a03540577c

    Download Submit

  • memory/2152-0-0x0000000000400000-0x0000000000AB4000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2152-1-0x0000000000400000-0x0000000000AB4000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2152-3-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2152-2-0x0000000000260000-0x00000000002BB000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2152-5-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2276-8-0x0000000000400000-0x0000000000AB4000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2276-9-0x00000000011D0000-0x000000000122B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2276-10-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2276-12-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2276-13-0x00000000011D0000-0x000000000122B000-memory.dmp

    Filesize

    364KB

    Download