Overview

overview

10

Static

static

7

NEAS.e8b8f...a0.exe

windows7-x64

10

NEAS.e8b8f...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe

  • Size

    2.5MB

  • MD5

    e8b8fde37bf5933ef87d2557a3931fa0

  • SHA1

    d8af5c90ec1dcd416a66657c40b4d0e830caf139

  • SHA256

    f99a37b08deb8a1e29b6c2ae92b5de92d8d16a0ef443ae999b8522d9023c9815

  • SHA512

    2995caf7fd1c9f68720a209a00f9e8a5e7556523e04c9709036bf8827791cf57fef402e5c88888fb5874e07f304c79419a8d3db5aee9b1285c7136c88c25ed50

  • SSDEEP

    49152:u4sYA5APvJjKEDMiXKEHPle6bYuYaig+CcMyc20D++qx376m8pSwCygAq:u4XjPvJjVNXKCsMY5XAjSH377GnCygx

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 24 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e8b8fde37bf5933ef87d2557a3931fa0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:628
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4188
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:920
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:4400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.5MB

    MD5

    a77d379188b95a3849d56892ab8b2a96

    SHA1

    633a0ebf69f8eb6b4758caa8742c2431ab2d4b80

    SHA256

    ced48e57201c0cf4be256ddc358d8cfee072bb15a5d8ae0f5bbf58a431c0cb3d

    SHA512

    9678093a3099a729ce95a258841d0438bb931167537689b9dcfc2a475fc08148243dc01352c534058cccfa0f09e4854ad947e826f6ea9300e0f47a824ce28367

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    43c30bb83d26f63c38d892ac95e40796

    SHA1

    88c4d045afa17782f6adc1f6adf20fc74cb64f51

    SHA256

    ab3fa0e3b873c9d07ffea8caca141df6c05dff43c1f5159c38b40de5238cce0f

    SHA512

    6d9aa749e433fd9ab9832d443f1162cd83c6a3da32186fd6a9c4d3f8e16d86eac408c6427a9766551b4c95293cfa01f97f87bbcddc94f75835aebba537b66ec4

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    43c30bb83d26f63c38d892ac95e40796

    SHA1

    88c4d045afa17782f6adc1f6adf20fc74cb64f51

    SHA256

    ab3fa0e3b873c9d07ffea8caca141df6c05dff43c1f5159c38b40de5238cce0f

    SHA512

    6d9aa749e433fd9ab9832d443f1162cd83c6a3da32186fd6a9c4d3f8e16d86eac408c6427a9766551b4c95293cfa01f97f87bbcddc94f75835aebba537b66ec4

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    43c30bb83d26f63c38d892ac95e40796

    SHA1

    88c4d045afa17782f6adc1f6adf20fc74cb64f51

    SHA256

    ab3fa0e3b873c9d07ffea8caca141df6c05dff43c1f5159c38b40de5238cce0f

    SHA512

    6d9aa749e433fd9ab9832d443f1162cd83c6a3da32186fd6a9c4d3f8e16d86eac408c6427a9766551b4c95293cfa01f97f87bbcddc94f75835aebba537b66ec4

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    2.5MB

    MD5

    11d7ec87697aef7207dec7037aff7994

    SHA1

    297c07a35a0da4754414c809a39fac4ff8e83ba9

    SHA256

    3359fdff65e071dd02cb6cec3e13a627c4653c86e7d1f07818ed4bbb8f9651ec

    SHA512

    a425a17edd1734df96e3698096e36eaa81cf014d61edd97a441a3869d28007fb0af9bf62e03b571dda891f0dc9c434e047537d8ba785ca49a725a2b8b7d254b9

    Download Submit

  • \??\c:\windows\resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    43c30bb83d26f63c38d892ac95e40796

    SHA1

    88c4d045afa17782f6adc1f6adf20fc74cb64f51

    SHA256

    ab3fa0e3b873c9d07ffea8caca141df6c05dff43c1f5159c38b40de5238cce0f

    SHA512

    6d9aa749e433fd9ab9832d443f1162cd83c6a3da32186fd6a9c4d3f8e16d86eac408c6427a9766551b4c95293cfa01f97f87bbcddc94f75835aebba537b66ec4

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    2.5MB

    MD5

    11d7ec87697aef7207dec7037aff7994

    SHA1

    297c07a35a0da4754414c809a39fac4ff8e83ba9

    SHA256

    3359fdff65e071dd02cb6cec3e13a627c4653c86e7d1f07818ed4bbb8f9651ec

    SHA512

    a425a17edd1734df96e3698096e36eaa81cf014d61edd97a441a3869d28007fb0af9bf62e03b571dda891f0dc9c434e047537d8ba785ca49a725a2b8b7d254b9

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    2.5MB

    MD5

    a77d379188b95a3849d56892ab8b2a96

    SHA1

    633a0ebf69f8eb6b4758caa8742c2431ab2d4b80

    SHA256

    ced48e57201c0cf4be256ddc358d8cfee072bb15a5d8ae0f5bbf58a431c0cb3d

    SHA512

    9678093a3099a729ce95a258841d0438bb931167537689b9dcfc2a475fc08148243dc01352c534058cccfa0f09e4854ad947e826f6ea9300e0f47a824ce28367

    Download Submit

  • memory/628-0-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/628-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/628-22-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/628-31-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/920-30-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/920-43-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/920-55-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2764-26-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2764-10-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2764-56-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2764-52-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2764-44-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4188-36-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4188-42-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4188-19-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4400-41-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4400-37-0x0000000000400000-0x0000000000A05000-memory.dmp

    Filesize

    6.0MB

    Download