e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

Analysis

max time kernel
152s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Size

50KB
MD5

2b031d786f4075bf4b064e80aff443e0
SHA1

a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256

e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512

e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
SSDEEP

1536:/KzjVnIEhZz0yFki1S+W498UOjhGuRvAd6:kVnBhZz0y7o+W6AhGw+6

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	BNSUpdata.exe

Loads dropped DLL 5 IoCs

pid	Process
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
1620	BNSUpdata.exe
1620	BNSUpdata.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2816-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/files/0x0008000000018bcd-7.dat	upx
behavioral1/files/0x0008000000018bcd-11.dat	upx
behavioral1/files/0x0008000000018bcd-9.dat	upx
behavioral1/memory/1620-17-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/files/0x0008000000018bcd-14.dat	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
472	Process not Found
1620	BNSUpdata.exe
472	Process not Found
1620	BNSUpdata.exe
472	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Token: SeLoadDriverPrivilege	1620	BNSUpdata.exe
Token: SeLoadDriverPrivilege	1620	BNSUpdata.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1620	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	30
PID 2816 wrote to memory of 1620	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	30
PID 2816 wrote to memory of 1620	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	30
PID 2816 wrote to memory of 1620	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	30
PID 2816 wrote to memory of 2304	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	31
PID 2816 wrote to memory of 2304	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	31
PID 2816 wrote to memory of 2304	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	31
PID 2816 wrote to memory of 2304	2816	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\uisad.bat
  2⤵
  - Deletes itself
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
C:\Windows\SysWOW64\zmdll.lst

Filesize
200B

MD5
611aec0f718253c46ef98ab3c48453a6

SHA1
db4ea74c25f496e84fe6a6ef710960cf2bcbaa40

SHA256
a07cf0a86faa408e86b5df9c1d772ca50f4826e5093c4adc143f6b516699c22e

SHA512
c172c764933a529376e76b0d6b17966f029702598c5d8f868f069ff64cde3f4fa93e3929b31767d7963d93071d880b84aa07643191e1d224e578ee7a1bb0b736

Download Submit
C:\uisad.bat

Filesize
195B

MD5
040064a2747fd264de659681fc9aff8c

SHA1
1dbbceb46a732b27a8416264f04ecb4bdac54752

SHA256
b09b983e0781ce4f88c432ce794618255f441705a915ae390539fee60803c329

SHA512
72f63417cfbbe3df5fd2cf5cca3a66ef204d1399c7aa1986bfb9f4ccc5cadb2491179fe062a62327f9a864faaabcaf07bffb0f7ceaa23b9e7f178a03718d19b9

Download Submit
\??\c:\uisad.bat

Filesize
195B

MD5
040064a2747fd264de659681fc9aff8c

SHA1
1dbbceb46a732b27a8416264f04ecb4bdac54752

SHA256
b09b983e0781ce4f88c432ce794618255f441705a915ae390539fee60803c329

SHA512
72f63417cfbbe3df5fd2cf5cca3a66ef204d1399c7aa1986bfb9f4ccc5cadb2491179fe062a62327f9a864faaabcaf07bffb0f7ceaa23b9e7f178a03718d19b9

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
memory/1620-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2816-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2816-13-0x0000000002690000-0x00000000026A6000-memory.dmp

Filesize
88KB

Download