2e24bbb3773c2d0fab2156685298b7c4adf96c22790beab3be80226995954b51

General

Target

NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Size

2.5MB
MD5

098aeeead8bcc2fc053a4a7af5db4190
SHA1

717d879bd4178c857c94c34f2f517193ca8460f6
SHA256

2e24bbb3773c2d0fab2156685298b7c4adf96c22790beab3be80226995954b51
SHA512

c2301e55402b6107a70018b07d398c599b86279faec0a8f484efc76162317b935e653ae3d8173e050e321ea9226e06cf426d58cfe3e124719c1e61677599d0d1
SSDEEP

49152:y4daOqAehx7x20RKuniOJqfU7F1tLYoNovTE3pzNx0FOnpe4v/681:cP7tRtrJq88SqgnpXiu

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	suvkbwn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	suvkbwn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	suvkbwn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	suvkbwn.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/2868-1-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/2868-2-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/files/0x000e000000012286-7.dat	themida
behavioral1/files/0x000e000000012286-8.dat	themida
behavioral1/memory/2760-9-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/2760-10-0x0000000000400000-0x0000000000A57000-memory.dmp	themida
behavioral1/memory/2760-11-0x0000000000400000-0x0000000000A57000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2868	NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
2760	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2760	2648	taskeng.exe	29
PID 2648 wrote to memory of 2760	2648	taskeng.exe	29
PID 2648 wrote to memory of 2760	2648	taskeng.exe	29
PID 2648 wrote to memory of 2760	2648	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.098aeeead8bcc2fc053a4a7af5db4190.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {FB9B440D-BAFA-4EDF-95CF-6CE43F686099} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
2.5MB

MD5
1db5089a72da7f0ddce4049fc58b1c98

SHA1
b69ff9d14af215dfa22e273b002aef0295b7e222

SHA256
8a1abdee2341c59ec689c334a73051ec9a25d66e8fd4e6c7b118a5ca9b5e40a8

SHA512
072c13a70d3027985d6268db90dcdafde5435c31643f11eb4e051a50c75f4419a3ae874f136735097fdd0d46ea72dd661eef48419e64b5a5c600efc8fe5d8eb2

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
2.5MB

MD5
1db5089a72da7f0ddce4049fc58b1c98

SHA1
b69ff9d14af215dfa22e273b002aef0295b7e222

SHA256
8a1abdee2341c59ec689c334a73051ec9a25d66e8fd4e6c7b118a5ca9b5e40a8

SHA512
072c13a70d3027985d6268db90dcdafde5435c31643f11eb4e051a50c75f4419a3ae874f136735097fdd0d46ea72dd661eef48419e64b5a5c600efc8fe5d8eb2

Download Submit
memory/2760-10-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2760-9-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2760-11-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2760-12-0x0000000000320000-0x000000000037C000-memory.dmp

Filesize
368KB

Download
memory/2760-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2868-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2868-3-0x0000000000330000-0x000000000038C000-memory.dmp

Filesize
368KB

Download
memory/2868-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2868-2-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2868-1-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2868-0-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads