Malware Analysis Report

2025-08-10 18:08

Sample ID 240507-d2td1sgb41
Target 5be9acaebf27218731ef9bfca990b9f0_NEAS
SHA256 fda373f32ac00a6d88ffb7ccfac41df243b8b6e42234d22b90b97cf385d70010
Tags
bootkit evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fda373f32ac00a6d88ffb7ccfac41df243b8b6e42234d22b90b97cf385d70010

Threat Level: Known bad

The file 5be9acaebf27218731ef9bfca990b9f0_NEAS was found to be: Known bad.

Malicious Activity Summary

bootkit evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 03:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 03:30

Reported

2024-05-07 03:33

Platform

win7-20240220-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\svchost.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 2192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 1972 wrote to memory of 2240 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1972 wrote to memory of 2240 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1972 wrote to memory of 2240 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1972 wrote to memory of 2240 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2240 wrote to memory of 2756 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2240 wrote to memory of 2756 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2240 wrote to memory of 2756 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2240 wrote to memory of 2756 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2756 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2756 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2756 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2756 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1972 wrote to memory of 2932 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1972 wrote to memory of 2932 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1972 wrote to memory of 2932 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1972 wrote to memory of 2932 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2756 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1144 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1144 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1144 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 1144 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:32 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:33 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:34 /f

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2192-1-0x00000000774F0000-0x00000000774F2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 d265bece931d77b73b997e8f1ac5c4b9
SHA1 a20e5611e518a8356760ad9a3215ac86a817243d
SHA256 44b949869ea9596c846df4cb5993d5610affb6f04753e382bcba0dc501c291d3
SHA512 f46c15d828c2edaa527986d39d808eae509b2974b0ec1ce498d6f7251239f5fb0f3c697a279da5e005305a284923e6cfa0e7c5ce3b90c24eebd27ad5d2025137

memory/1972-12-0x0000000000400000-0x0000000000C23000-memory.dmp

C:\ProgramData\mntemp

MD5 0f02c2e0896d526c1474a6f940945377
SHA1 ba2b111ec4bec3dc4841e48c25131c620986756f
SHA256 be4e28813d7bd4309c47abeb388ce18260d5328f950b4f32be20d4d71cde3e61
SHA512 708cb7c3cb20c82264e492b1354df96993053bcd54b2620bd4d60bf922b36d61b4548fddec3e52cf78b6fcabdfe37aabde87c58d900a7733c95e8ad3fe5fdf78

\Windows\Resources\spoolsv.exe

MD5 b6268b246a2858bbe3409449c4f0c302
SHA1 b50fcad53e4d32e8eda408945487957a5ee9b48a
SHA256 87cedfe2e0d65b631792720c416358ce0462435f0208c31f9380b6a8c0d1fc0f
SHA512 42f93ae4639ed56719c4eb5843b317213d35097750dbbde6295b651f12ce55f86674327e9a4b3656c08144ea8c43a210be95736be0df2078f82c9662d45f29c7

memory/1972-24-0x00000000039A0000-0x00000000041C3000-memory.dmp

memory/2240-25-0x0000000000400000-0x0000000000C23000-memory.dmp

\Windows\Resources\svchost.exe

MD5 dcf48dc95dd6131ce82cb4a45af34229
SHA1 0ccd81945476c018e6781f61df5bd73a389115d0
SHA256 4287805ebdf1e27a6957ceef8ced455af194e9445d5cfeee1ff3b785202a347c
SHA512 b587afa5ac3005d0d0d1791d95899c268753316b5267fb3060f0f8c663055d532d611f53c06455b78e4dbfb038f7918543b88c786db19a567d40b63433eec37d

memory/2240-36-0x0000000003A60000-0x0000000004283000-memory.dmp

memory/2756-37-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2192-44-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2660-52-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2240-51-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2192-54-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/1972-55-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/2756-57-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/1972-58-0x00000000039A0000-0x00000000041C3000-memory.dmp

memory/1972-67-0x0000000000400000-0x0000000000C23000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 03:30

Reported

2024-05-07 03:33

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\svchost.exe N/A
File opened for modification \??\PhysicalDrive0 \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 908 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 908 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe \??\c:\windows\resources\themes\explorer.exe
PID 4124 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4124 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4124 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3256 wrote to memory of 5108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3256 wrote to memory of 5108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3256 wrote to memory of 5108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5108 wrote to memory of 4808 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5108 wrote to memory of 4808 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5108 wrote to memory of 4808 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/908-0-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/908-1-0x00000000778E4000-0x00000000778E6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 139178e392b2602875ab8ce4af7488ac
SHA1 179287f8fcce04b4c2e5686caee81a3e4d7b790f
SHA256 5b962906bd37088b17c8110499e86dc46503ebf402526377c43a30e625e06e35
SHA512 4589625c8559b7aae3e5d62c093e1024e637adfa7f47add2450afe889ebc213acec465cf0adf85c61e3027665a81deb1485a843c03d000777f9c68c10248e932

memory/4124-11-0x0000000000400000-0x0000000000C23000-memory.dmp

C:\ProgramData\mntemp

MD5 54fd8ae71831d9afc54c3b3a9cad01e8
SHA1 c8cd04c1fd27990aaaf98c16d28d9fddaa61beb5
SHA256 143ac77670384287b780c744a95ce45e95b28747cdc93a75069be8ffb8da2962
SHA512 de6fb3af41c9b3831625935c29998f106bd9361edb13a1b9ce02f5295298b17771e9bf01dec7ca749ff00b517de9e6ea77935185c1081a1795cbf0e69af17f40

C:\Windows\Resources\spoolsv.exe

MD5 33f2c816df6345bfb2ededf64fb3b7a0
SHA1 d768448c2fe5346d371abdaca7006b8bd147a3e9
SHA256 4dfafc3b98726572e892f994062133d333dd61de7fb1fee7be1b0651d1c46dc3
SHA512 bec0d495ed66d57c189aa5cb6615fa818369b0f3969109e27232a80581b3681e5bc01b4c158f547f9fe82127e8cae71a04a9e83d30754253e69e436346da3c62

memory/3256-21-0x0000000000400000-0x0000000000C23000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 6cbdf3dc3924066e9f1f40ecd80d6e48
SHA1 b0652f24d44baf5deb9ff47a24ad6ca9443d58f9
SHA256 147d8eade5540ac3ed9826a218252b8f24f16c721295b0ecf48edf7f005714d3
SHA512 7ec3e0bdaaf3f29ab5d786380155679824275eb7d028899d7402707820d0fea257badba8410ca7365a5bb27d1b3cff64a0683eea9f18cd490fcb8b07fada7f44

memory/4808-34-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/4808-38-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/3256-41-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/908-40-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/4124-42-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/5108-43-0x0000000000400000-0x0000000000C23000-memory.dmp

memory/4124-54-0x0000000000400000-0x0000000000C23000-memory.dmp