684ff6aeffa333f9f2f55ca6bede9d52c72a8536a725ed78045d7eff7c1413a2

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
Size

2.6MB
MD5

a391f0b4b19ea7189df5320bb2c44f30
SHA1

078c1836a49bed9672f999aa31a4409730e8872e
SHA256

684ff6aeffa333f9f2f55ca6bede9d52c72a8536a725ed78045d7eff7c1413a2
SHA512

af7dd79a90bdf989728b8ef0cbccec9757d96a51258709d0dc9b1615d7f1006b9a85166069e629b393db1e4948d08ec9d7d41d8bcb37e0bd17110ef6ebaf3d50
SSDEEP

49152:XXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVL:XXzhW148Pd+Tf1mpcOldJQ3/VL

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1624	explorer.exe
1312	spoolsv.exe
1988	svchost.exe
3056	spoolsv.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/968-0-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000b000000023ba7-8.dat	themida
behavioral2/memory/1624-10-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000b000000023ba9-15.dat	themida
behavioral2/memory/1312-19-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000b000000023bab-27.dat	themida
behavioral2/memory/1988-28-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3056-33-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3056-38-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1312-41-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/968-42-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1624-43-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1988-44-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1988-52-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1624-55-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
1624	explorer.exe
1312	spoolsv.exe
1988	svchost.exe
3056	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1624	explorer.exe
1988	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
1624	explorer.exe
1624	explorer.exe
1312	spoolsv.exe
1312	spoolsv.exe
1988	svchost.exe
1988	svchost.exe
3056	spoolsv.exe
3056	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1624	968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe	84
PID 968 wrote to memory of 1624	968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe	84
PID 968 wrote to memory of 1624	968	a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe	84
PID 1624 wrote to memory of 1312	1624	explorer.exe	88
PID 1624 wrote to memory of 1312	1624	explorer.exe	88
PID 1624 wrote to memory of 1312	1624	explorer.exe	88
PID 1312 wrote to memory of 1988	1312	spoolsv.exe	89
PID 1312 wrote to memory of 1988	1312	spoolsv.exe	89
PID 1312 wrote to memory of 1988	1312	spoolsv.exe	89
PID 1988 wrote to memory of 3056	1988	svchost.exe	90
PID 1988 wrote to memory of 3056	1988	svchost.exe	90
PID 1988 wrote to memory of 3056	1988	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\a391f0b4b19ea7189df5320bb2c44f30_NEAS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1988
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
549a8ed5c8de4422d67326f13dba7263

SHA1
561b2a0969ad919e073dbb5ea1e189611f0e5f8d

SHA256
ceca356476c298d3be561c9d2380f260d907284986136a9e0760d31fa45ed703

SHA512
39492a491562cf7fe0a5227ba615e0424040f4ea8b746eec9c4b47d0c4bf8ac6fc69e046b5efe80db0a28390c08e9de33a1dcc2d4611ad93e9c44c2003e744a7

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
7f4803f45653f4c4b6ef35cd4b0aebe0

SHA1
ce470b7d62030995bccdb98509fe5db3bd41ccb6

SHA256
19f9e4f95cd5c20ed99b7d0393c83c9be4ee6f057c493ad2f42c1e298ce5c067

SHA512
29a3c56aab71ce5b7c77952c78cf0984bb2185e6faeac2cd930943b6542ef67b793e30294b65502a926ce6325d57e3c8bafeb2c6bc6218ab1b3bae1c1ed023a7

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
9120981b4a966da8b36e03a6df056f2c

SHA1
4ddf6d4a686263b77aee5fd048f9fe57e0816c5b

SHA256
1a813a0b0296ddacee5daa11aca9ba10e9cb307860a4f49771c6fd60d2bc56b3

SHA512
a161e92f4b306a567c22c59bff6cb3affdc18fd027d737a8e94d0dc68abb283bb7d1fb0175c5f31fd55c4b48d1905069d1e7c701e2cdfa9c6e12fd0991237ed7

Download Submit
memory/968-1-0x0000000077944000-0x0000000077946000-memory.dmp

Filesize
8KB

Download
memory/968-0-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/968-42-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1312-41-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1312-19-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1624-43-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1624-10-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1624-55-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1988-28-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1988-44-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1988-52-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3056-38-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3056-33-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download