Overview

overview

10

Static

static

7

NEAS.e8b8f...a0.exe

windows7-x64

10

NEAS.e8b8f...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2023, 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe

  • Size

    2.5MB

  • MD5

    e8b8fde37bf5933ef87d2557a3931fa0

  • SHA1

    d8af5c90ec1dcd416a66657c40b4d0e830caf139

  • SHA256

    f99a37b08deb8a1e29b6c2ae92b5de92d8d16a0ef443ae999b8522d9023c9815

  • SHA512

    2995caf7fd1c9f68720a209a00f9e8a5e7556523e04c9709036bf8827791cf57fef402e5c88888fb5874e07f304c79419a8d3db5aee9b1285c7136c88c25ed50

  • SSDEEP

    49152:u4sYA5APvJjKEDMiXKEHPle6bYuYaig+CcMyc20D++qx376m8pSwCygAq:u4XjPvJjVNXKCsMY5XAjSH377GnCygx

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 33 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2744
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2144
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2612
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2296
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2676
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:34 /f
            5⤵
            • Creates scheduled task(s)
            PID:2148
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:35 /f
            5⤵
            • Creates scheduled task(s)
            PID:912
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:36 /f
            5⤵
            • Creates scheduled task(s)
            PID:1892
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      2.5MB

      MD5

      f4b3d8b2982dc3612296cdf5d18f7cba

      SHA1

      a1c37ffb7d5ea2c5b2eb0d69f3d3da5a4cce5619

      SHA256

      9148d18a3a51a9396cba06db37f977fbb9e3477bc16638bbcbf70e6e75f47673

      SHA512

      a3025c291b7b74e17ef2e474263eeb9ceaf6170127b245dff294037781059bcfc02f2ff981b4e071d993766d0363e421608e2aba165c5406dcaea7c50a8be40d

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      2.5MB

      MD5

      31d5fa79e4067310c612e7e3978ea339

      SHA1

      06075850f3dbab2f55346f17eca3a7e43b31d76f

      SHA256

      ec55b79e207c73d5e728777ff885ec56f19dfd3f9d20a38e7c73f6139e85e459

      SHA512

      04eceac97efc698b8eaee984c18267b61055b8ce829f84d7c8434eb6c2486cfcf6a68dc68505ba68edaf01307d3542aa15e3912070b4363a126ecac373fcd43d

      Download Submit

    • \??\c:\windows\resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      2.5MB

      MD5

      31d5fa79e4067310c612e7e3978ea339

      SHA1

      06075850f3dbab2f55346f17eca3a7e43b31d76f

      SHA256

      ec55b79e207c73d5e728777ff885ec56f19dfd3f9d20a38e7c73f6139e85e459

      SHA512

      04eceac97efc698b8eaee984c18267b61055b8ce829f84d7c8434eb6c2486cfcf6a68dc68505ba68edaf01307d3542aa15e3912070b4363a126ecac373fcd43d

      Download Submit

    • \??\c:\windows\resources\themes\explorer.exe
      Filesize

      2.5MB

      MD5

      f4b3d8b2982dc3612296cdf5d18f7cba

      SHA1

      a1c37ffb7d5ea2c5b2eb0d69f3d3da5a4cce5619

      SHA256

      9148d18a3a51a9396cba06db37f977fbb9e3477bc16638bbcbf70e6e75f47673

      SHA512

      a3025c291b7b74e17ef2e474263eeb9ceaf6170127b245dff294037781059bcfc02f2ff981b4e071d993766d0363e421608e2aba165c5406dcaea7c50a8be40d

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      2.5MB

      MD5

      f4b3d8b2982dc3612296cdf5d18f7cba

      SHA1

      a1c37ffb7d5ea2c5b2eb0d69f3d3da5a4cce5619

      SHA256

      9148d18a3a51a9396cba06db37f977fbb9e3477bc16638bbcbf70e6e75f47673

      SHA512

      a3025c291b7b74e17ef2e474263eeb9ceaf6170127b245dff294037781059bcfc02f2ff981b4e071d993766d0363e421608e2aba165c5406dcaea7c50a8be40d

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      2ce873866f7583ded713fab40c5e56ac

      SHA1

      ab374f6157a9646f1f9b75484f790b4da25c481e

      SHA256

      fb6fa1f40e2304a9b84e79e1492e864bdef6cb587d00776f1f452ba3867eafac

      SHA512

      932483a0c53de00f2f3dc712ecda48b46def30adedc945974bcbf1eef37953eeebe48ee9177bf14d17200d3fd17732e24022bf165949d686d258faea466238df

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      2.5MB

      MD5

      31d5fa79e4067310c612e7e3978ea339

      SHA1

      06075850f3dbab2f55346f17eca3a7e43b31d76f

      SHA256

      ec55b79e207c73d5e728777ff885ec56f19dfd3f9d20a38e7c73f6139e85e459

      SHA512

      04eceac97efc698b8eaee984c18267b61055b8ce829f84d7c8434eb6c2486cfcf6a68dc68505ba68edaf01307d3542aa15e3912070b4363a126ecac373fcd43d

      Download Submit

    • memory/2144-69-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-67-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-59-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-22-0x0000000003430000-0x0000000003A35000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-12-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-37-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-79-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2144-81-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2296-38-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2296-68-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2296-58-0x0000000003390000-0x0000000003995000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2296-46-0x0000000003390000-0x0000000003995000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2296-56-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2612-54-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2612-45-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2612-24-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2676-52-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2676-47-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-51-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-55-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-32-0x0000000003470000-0x0000000003A75000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-29-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-0-0x0000000000400000-0x0000000000A05000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-11-0x0000000003470000-0x0000000003A75000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/2744-1-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

      Filesize

      8KB

      Download