Overview

overview

10

Static

static

7

NEAS.3a336...e0.exe

windows7-x64

10

NEAS.3a336...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2023 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.3a3363cc03ad5315478e668642bd38e0.exe

  • Size

    2.6MB

  • MD5

    3a3363cc03ad5315478e668642bd38e0

  • SHA1

    9fec2560d68cdf0fa79a8b83c9ced58557c4d72c

  • SHA256

    1d3d2a059e088a5a21530ed639b2e3a4e775b99233018224e25022e48bd4f4d5

  • SHA512

    8b4b094e527fe3c95b38d3ad81401ce2b848abe803751407dd4b0cf555554478c9138805f9f1a8d905a7bc4d2872e451e6232f239185bda2bc3bbb8e37198feb

  • SSDEEP

    49152:tU/5M1X4Wl/YvzYCQR9RQs+C40yZpJaD99GA:tKq4oEa9RQs+Cn4/UKA

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 24 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.3a3363cc03ad5315478e668642bd38e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.3a3363cc03ad5315478e668642bd38e0.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:964
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4568
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1636
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.6MB

    MD5

    04ae6262b264ce8a799cd08c6cf4ca89

    SHA1

    74494f94173af41fce2e66bc65a5171e201cfe5e

    SHA256

    7ba7b7ed70b1ecdcd58d755d811899f0ae4e1bf1cba2d4f83f85f1fb61ec9d66

    SHA512

    4f40e5c4f01aa1532f79c34f2e4e4deceaedb0ad6e37dbcc0653d38fb405d57f6fc24298cda6c7f8200ef78b2469cccaf01327b4640fe5e166b1cab184491ff1

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    6eeae1f64c1a879709a9a25b39cc8049

    SHA1

    960bb862ab28dc00fb8ec1cb8245dd71ea13cfda

    SHA256

    c852b23968035d2fe1f80d92337972c076532bbb1ea0655baa134e4fb5a0ee5b

    SHA512

    af657b0129b67cc1f8382791dc1ce2d7fff6aff145866a60d364106f6a6957258a60e6dbbbfe31df4db33628ca6a1c199edb8812adab861528b722ea4c42fb9a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    6eeae1f64c1a879709a9a25b39cc8049

    SHA1

    960bb862ab28dc00fb8ec1cb8245dd71ea13cfda

    SHA256

    c852b23968035d2fe1f80d92337972c076532bbb1ea0655baa134e4fb5a0ee5b

    SHA512

    af657b0129b67cc1f8382791dc1ce2d7fff6aff145866a60d364106f6a6957258a60e6dbbbfe31df4db33628ca6a1c199edb8812adab861528b722ea4c42fb9a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    6eeae1f64c1a879709a9a25b39cc8049

    SHA1

    960bb862ab28dc00fb8ec1cb8245dd71ea13cfda

    SHA256

    c852b23968035d2fe1f80d92337972c076532bbb1ea0655baa134e4fb5a0ee5b

    SHA512

    af657b0129b67cc1f8382791dc1ce2d7fff6aff145866a60d364106f6a6957258a60e6dbbbfe31df4db33628ca6a1c199edb8812adab861528b722ea4c42fb9a

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    2.6MB

    MD5

    e1b1aec38077086cf44d5275ef6e13bc

    SHA1

    efa8463a3fc3f35d521e5fa09085de372cb95ccd

    SHA256

    42c36c2a59e347574d859f2d2560ed26c0e0279c61f8d5db8cbf5d7e8f62b1cd

    SHA512

    d9b3d7d2d99d38e97665e7d4ad61b1fc5d060c97b0417fa01108d7300421357cec31b9aa555e9d2456cdf8b60dc5a623b6687ca72ac21f75a187e67a40dd2c55

    Download Submit

  • \??\c:\windows\resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    6eeae1f64c1a879709a9a25b39cc8049

    SHA1

    960bb862ab28dc00fb8ec1cb8245dd71ea13cfda

    SHA256

    c852b23968035d2fe1f80d92337972c076532bbb1ea0655baa134e4fb5a0ee5b

    SHA512

    af657b0129b67cc1f8382791dc1ce2d7fff6aff145866a60d364106f6a6957258a60e6dbbbfe31df4db33628ca6a1c199edb8812adab861528b722ea4c42fb9a

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    2.6MB

    MD5

    e1b1aec38077086cf44d5275ef6e13bc

    SHA1

    efa8463a3fc3f35d521e5fa09085de372cb95ccd

    SHA256

    42c36c2a59e347574d859f2d2560ed26c0e0279c61f8d5db8cbf5d7e8f62b1cd

    SHA512

    d9b3d7d2d99d38e97665e7d4ad61b1fc5d060c97b0417fa01108d7300421357cec31b9aa555e9d2456cdf8b60dc5a623b6687ca72ac21f75a187e67a40dd2c55

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    2.6MB

    MD5

    04ae6262b264ce8a799cd08c6cf4ca89

    SHA1

    74494f94173af41fce2e66bc65a5171e201cfe5e

    SHA256

    7ba7b7ed70b1ecdcd58d755d811899f0ae4e1bf1cba2d4f83f85f1fb61ec9d66

    SHA512

    4f40e5c4f01aa1532f79c34f2e4e4deceaedb0ad6e37dbcc0653d38fb405d57f6fc24298cda6c7f8200ef78b2469cccaf01327b4640fe5e166b1cab184491ff1

    Download Submit

  • memory/964-35-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/964-55-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/964-51-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/964-43-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/964-10-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-42-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-28-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-54-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-66-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1956-33-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1956-41-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1956-0-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1956-1-0x0000000077824000-0x0000000077826000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2772-34-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2772-39-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4568-40-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4568-19-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download