Analysis Overview
SHA256
acde7121adb34bb6353af2ebf29b88952cfc4e5d1df17db5577433ae32884120
Threat Level: Likely malicious
The file Nenyooo v1.0.3028.0.7.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 23:57
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 23:57
Reported
2024-06-16 23:57
Platform
win10v2004-20240611-en
Max time kernel
26s
Max time network
13s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe
"C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.208:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 208.83.221.88.in-addr.arpa | udp |
Files
memory/1144-0-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-1-0x00007FFFFD930000-0x00007FFFFD932000-memory.dmp
memory/1144-2-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-3-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-4-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-5-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-8-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-7-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-9-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-6-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-10-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-11-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp
memory/1144-12-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp