Overview

overview

9

Static

static

3

nexhub-patched.zip

windows7-x64

1

nexhub-patched.zip

windows10-2004-x64

1

HOW TO USE.txt

windows7-x64

1

HOW TO USE.txt

windows10-2004-x64

1

nexhub-fiv...1).exe

windows7-x64

5

nexhub-fiv...1).exe

windows10-2004-x64

9

patch.1337

windows7-x64

3

patch.1337

windows10-2004-x64

3

Resubmissions

18-08-2024 19:50

240818-ykjtgathpq 9

18-08-2024 19:48

240818-yh66zstgrp 5

Analysis

  • max time kernel
    51s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nexhub-fivem-cod-woofer (1).exe

  • Size

    8.5MB

  • MD5

    0246b7c41b69b920db4d528d8f08cadf

  • SHA1

    f5d3de82b9711bc3ed8b0120757babcef22a12e1

  • SHA256

    51566fdcdeb6d0aa02de64197d5db72f0e7ee682b71ea02552c19cbcc98e946f

  • SHA512

    113f1cf8edb4710cc825bb28d46c7e228c34a37c0a1ade6bcf0ca5fb5c159b64379405277f859c5aee8d5f70a620e9e9adabdd77cf93a78cf565669ca167010f

  • SSDEEP

    196608:em4O+ZeImMKc1ck6eNgSI46SuyF+XB4G3psAvECBEubL7q:IZdLKIkRVprvG

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • cURL User-Agent 3 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nexhub-fivem-cod-woofer (1).exe
    "C:\Users\Admin\AppData\Local\Temp\nexhub-fivem-cod-woofer (1).exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:1056
      • C:\Users\Admin\AppData\Local\Temp\nexhub-fivem-cod-woofer (1).exe
        ar 1
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4176

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3116-0-0x00007FF680FD4000-0x00007FF681230000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/3116-2-0x00007FFF7BAE0000-0x00007FFF7BAE2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3116-1-0x00007FFF7BAD0000-0x00007FFF7BAD2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3116-6-0x00007FF680A00000-0x00007FF681ABA000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/3116-7-0x00007FF680FD4000-0x00007FF681230000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/3116-8-0x00007FF680A00000-0x00007FF681ABA000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/3116-36-0x00007FF680A00000-0x00007FF681ABA000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/3116-35-0x00007FF680FD4000-0x00007FF681230000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4176-23-0x00007FF680A00000-0x00007FF681ABA000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/4176-29-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-15-0x000001E25CE50000-0x000001E25CE79000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4176-12-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-13-0x00007FFF3AD70000-0x00007FFF3AD80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4176-25-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-26-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-24-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-28-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-11-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-27-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-30-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-32-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-31-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-33-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/4176-9-0x000001E25CE50000-0x000001E25CE79000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4176-10-0x000001E25CE90000-0x000001E25CE91000-memory.dmp

      Filesize

      4KB

      Download