Malware Analysis Report

2024-10-16 06:53

Sample ID 240616-3zj51avbjf
Target Nenyooo v1.0.3028.0.7.exe
SHA256 acde7121adb34bb6353af2ebf29b88952cfc4e5d1df17db5577433ae32884120
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

acde7121adb34bb6353af2ebf29b88952cfc4e5d1df17db5577433ae32884120

Threat Level: Likely malicious

The file Nenyooo v1.0.3028.0.7.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:57

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:57

Reported

2024-06-16 23:57

Platform

win10v2004-20240611-en

Max time kernel

26s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe

"C:\Users\Admin\AppData\Local\Temp\Nenyooo v1.0.3028.0.7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp

Files

memory/1144-0-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-1-0x00007FFFFD930000-0x00007FFFFD932000-memory.dmp

memory/1144-2-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-3-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-4-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-5-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-8-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-7-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-9-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-6-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-10-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-11-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp

memory/1144-12-0x00007FF77F1D0000-0x00007FF7805ED000-memory.dmp