7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.161cf0948e16da3ad8e981c1f033e780.exe
Size

63KB
MD5

161cf0948e16da3ad8e981c1f033e780
SHA1

369a7925e91ff26289a20bb98c06eb4d127d2f02
SHA256

7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde
SHA512

d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832
SSDEEP

1536:DuJIcNwIWt2YvLF7gCZOj+UwwrjtvK4tMzIDC2oB:YIcWrt2cuCURtvKAMzIOr

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	BNSUpdata.exe

Loads dropped DLL 5 IoCs

pid	Process
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
1716	BNSUpdata.exe
1716	BNSUpdata.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x001b000000015c2b-7.dat	upx
behavioral1/files/0x001b000000015c2b-9.dat	upx
behavioral1/files/0x001b000000015c2b-11.dat	upx
behavioral1/files/0x001b000000015c2b-13.dat	upx
behavioral1/memory/1716-20-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2116-24-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	BNSUpdata.exe
File created	C:\Windows\SysWOW64\bnsspx.dll	NEAS.161cf0948e16da3ad8e981c1f033e780.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
464	Process not Found
1716	BNSUpdata.exe
464	Process not Found
1716	BNSUpdata.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
Token: SeLoadDriverPrivilege	1716	BNSUpdata.exe
Token: SeLoadDriverPrivilege	1716	BNSUpdata.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1716	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	28
PID 2116 wrote to memory of 1716	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	28
PID 2116 wrote to memory of 1716	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	28
PID 2116 wrote to memory of 1716	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	28
PID 2116 wrote to memory of 2368	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	29
PID 2116 wrote to memory of 2368	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	29
PID 2116 wrote to memory of 2368	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	29
PID 2116 wrote to memory of 2368	2116	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.161cf0948e16da3ad8e981c1f033e780.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.161cf0948e16da3ad8e981c1f033e780.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\uisad.bat
  2⤵
  - Deletes itself
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
C:\Windows\SysWOW64\gyblack.lst

Filesize
200B

MD5
553cfd1a391a765839400b64db199e2f

SHA1
e7140e686c42df0eb1c2c9916c3e4209f8cf9140

SHA256
6212ce17bc58a18cbc60f5884c86feff13d2f7a017245ef5bfe16c97ce3f46a2

SHA512
2332238511680e2f5b00e660c9cbbe0b2fefdfc46721fca90efe92a56fb09c0d58a8a33d704147fdc71f011c660106a6729777b98071d075c3b2c88aaae3b191

Download Submit
C:\uisad.bat

Filesize
195B

MD5
5c949826bad2ad43862ff863e3667a1c

SHA1
20adb16e196606639e31cbb5ccf0524f2e862dce

SHA256
9e8a4a798a2d2588513a70b46d72e2d56eb0c525ade46623b0ff783eb6e23f01

SHA512
7911efa2dad08d3c7e7348d904c51fd6b6080aa9906ccbf566dd0e59dbb0ba1c168a125c607cda5f4d7c4cdbde15fa6b7367df0baee4cfe7146707ee87a49c0b

Download Submit
\??\c:\uisad.bat

Filesize
195B

MD5
5c949826bad2ad43862ff863e3667a1c

SHA1
20adb16e196606639e31cbb5ccf0524f2e862dce

SHA256
9e8a4a798a2d2588513a70b46d72e2d56eb0c525ade46623b0ff783eb6e23f01

SHA512
7911efa2dad08d3c7e7348d904c51fd6b6080aa9906ccbf566dd0e59dbb0ba1c168a125c607cda5f4d7c4cdbde15fa6b7367df0baee4cfe7146707ee87a49c0b

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
memory/1716-20-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2116-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2116-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download