7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.161cf0948e16da3ad8e981c1f033e780.exe
Size

63KB
MD5

161cf0948e16da3ad8e981c1f033e780
SHA1

369a7925e91ff26289a20bb98c06eb4d127d2f02
SHA256

7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde
SHA512

d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832
SSDEEP

1536:DuJIcNwIWt2YvLF7gCZOj+UwwrjtvK4tMzIDC2oB:YIcWrt2cuCURtvKAMzIOr

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.161cf0948e16da3ad8e981c1f033e780.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	BNSUpdata.exe

Loads dropped DLL 3 IoCs

pid	Process
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
4904	BNSUpdata.exe
4904	BNSUpdata.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x00070000000231ff-9.dat	upx
behavioral2/files/0x00070000000231ff-12.dat	upx
behavioral2/files/0x00070000000231ff-14.dat	upx
behavioral2/memory/5036-15-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
676	Process not Found
4904	BNSUpdata.exe
676	Process not Found
4904	BNSUpdata.exe
676	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe
Token: SeLoadDriverPrivilege	4904	BNSUpdata.exe
Token: SeLoadDriverPrivilege	4904	BNSUpdata.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4904	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	86
PID 5036 wrote to memory of 4904	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	86
PID 5036 wrote to memory of 4904	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	86
PID 5036 wrote to memory of 4976	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	87
PID 5036 wrote to memory of 4976	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	87
PID 5036 wrote to memory of 4976	5036	NEAS.161cf0948e16da3ad8e981c1f033e780.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.161cf0948e16da3ad8e981c1f033e780.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.161cf0948e16da3ad8e981c1f033e780.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\uisad.bat
  2⤵
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
63KB

MD5
161cf0948e16da3ad8e981c1f033e780

SHA1
369a7925e91ff26289a20bb98c06eb4d127d2f02

SHA256
7a428920b1f55fc9739548e674570952086cfcff79471d7b0136fd8e438d8dde

SHA512
d33f58bc8b346205a519a7eedc1bf4696de242f22fb445e5d0fcc50528919215a5ca2f6bbf2c5a129d1d11cd776f973fff1b61d9266e7122b8b5ba74afed6832

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
66KB

MD5
bb2150f6237dfa9030317009104b7903

SHA1
1cbf2c9c4c1dd533327593490060453dd04edbc3

SHA256
c767f906c992e13ad443d4ea21a888ef514d6cd06b79143f6fc3b393228d48b5

SHA512
d91ec6f9d1450f400fce7ce519c04b7b08c6e9a633a3df1ecae4732166887d72d8c013f954c58aede70a3f3bfed64436bced9f9c54b889b995a479e4b11b056c

Download Submit
C:\Windows\SysWOW64\gyblack.lst

Filesize
200B

MD5
481d6d7c865294ce256158782df53347

SHA1
4faf9eb321d898bc370e7189ae42e032ff697ca8

SHA256
5e8f83ccffc3e160cd4bd73ebcd4a97207b0e202192c3638d673b4b86e139052

SHA512
cfbaf23d7b3f3f649bd16ae24c4c18a83406450f54c48334b64557c72b9d7c9c0943a0f8248796904d3ba628bc5f2cab3a54933bb1fd5e474e15045477049bca

Download Submit
\??\c:\uisad.bat

Filesize
195B

MD5
5c949826bad2ad43862ff863e3667a1c

SHA1
20adb16e196606639e31cbb5ccf0524f2e862dce

SHA256
9e8a4a798a2d2588513a70b46d72e2d56eb0c525ade46623b0ff783eb6e23f01

SHA512
7911efa2dad08d3c7e7348d904c51fd6b6080aa9906ccbf566dd0e59dbb0ba1c168a125c607cda5f4d7c4cdbde15fa6b7367df0baee4cfe7146707ee87a49c0b

Download Submit
memory/5036-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5036-15-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download