Analysis
-
max time kernel
152s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 17:49
Behavioral task
behavioral1
Sample
NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.2b031d786f4075bf4b064e80aff443e0.exe
-
Size
50KB
-
MD5
2b031d786f4075bf4b064e80aff443e0
-
SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef
-
SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
-
SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
-
SSDEEP
1536:/KzjVnIEhZz0yFki1S+W498UOjhGuRvAd6:kVnBhZz0y7o+W6AhGw+6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2304 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 BNSUpdata.exe -
Loads dropped DLL 5 IoCs
pid Process 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 1620 BNSUpdata.exe 1620 BNSUpdata.exe -
resource yara_rule behavioral1/memory/2816-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0008000000018bcd-7.dat upx behavioral1/files/0x0008000000018bcd-11.dat upx behavioral1/files/0x0008000000018bcd-9.dat upx behavioral1/memory/1620-17-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0008000000018bcd-14.dat upx -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\bnsspx.dll NEAS.2b031d786f4075bf4b064e80aff443e0.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst NEAS.2b031d786f4075bf4b064e80aff443e0.exe File created C:\Windows\SysWOW64\BNSUpdata.exe NEAS.2b031d786f4075bf4b064e80aff443e0.exe File opened for modification C:\Windows\SysWOW64\BNSUpdata.exe NEAS.2b031d786f4075bf4b064e80aff443e0.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst BNSUpdata.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 472 Process not Found 1620 BNSUpdata.exe 472 Process not Found 1620 BNSUpdata.exe 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeLoadDriverPrivilege 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe Token: SeLoadDriverPrivilege 1620 BNSUpdata.exe Token: SeLoadDriverPrivilege 1620 BNSUpdata.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2816 wrote to memory of 1620 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 30 PID 2816 wrote to memory of 1620 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 30 PID 2816 wrote to memory of 1620 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 30 PID 2816 wrote to memory of 1620 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 30 PID 2816 wrote to memory of 2304 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 31 PID 2816 wrote to memory of 2304 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 31 PID 2816 wrote to memory of 2304 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 31 PID 2816 wrote to memory of 2304 2816 NEAS.2b031d786f4075bf4b064e80aff443e0.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\BNSUpdata.exe"C:\Windows\system32\BNSUpdata.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\uisad.bat2⤵
- Deletes itself
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD52b031d786f4075bf4b064e80aff443e0
SHA1a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
-
Filesize
50KB
MD52b031d786f4075bf4b064e80aff443e0
SHA1a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
-
Filesize
53KB
MD514206e540666ffcc09de504886640b65
SHA19071d11b69ad08537fcb5e430650422c1780464d
SHA256b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7
SHA5128dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679
-
Filesize
200B
MD5611aec0f718253c46ef98ab3c48453a6
SHA1db4ea74c25f496e84fe6a6ef710960cf2bcbaa40
SHA256a07cf0a86faa408e86b5df9c1d772ca50f4826e5093c4adc143f6b516699c22e
SHA512c172c764933a529376e76b0d6b17966f029702598c5d8f868f069ff64cde3f4fa93e3929b31767d7963d93071d880b84aa07643191e1d224e578ee7a1bb0b736
-
Filesize
195B
MD5040064a2747fd264de659681fc9aff8c
SHA11dbbceb46a732b27a8416264f04ecb4bdac54752
SHA256b09b983e0781ce4f88c432ce794618255f441705a915ae390539fee60803c329
SHA51272f63417cfbbe3df5fd2cf5cca3a66ef204d1399c7aa1986bfb9f4ccc5cadb2491179fe062a62327f9a864faaabcaf07bffb0f7ceaa23b9e7f178a03718d19b9
-
Filesize
195B
MD5040064a2747fd264de659681fc9aff8c
SHA11dbbceb46a732b27a8416264f04ecb4bdac54752
SHA256b09b983e0781ce4f88c432ce794618255f441705a915ae390539fee60803c329
SHA51272f63417cfbbe3df5fd2cf5cca3a66ef204d1399c7aa1986bfb9f4ccc5cadb2491179fe062a62327f9a864faaabcaf07bffb0f7ceaa23b9e7f178a03718d19b9
-
Filesize
50KB
MD52b031d786f4075bf4b064e80aff443e0
SHA1a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
-
Filesize
50KB
MD52b031d786f4075bf4b064e80aff443e0
SHA1a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
-
Filesize
53KB
MD514206e540666ffcc09de504886640b65
SHA19071d11b69ad08537fcb5e430650422c1780464d
SHA256b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7
SHA5128dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679
-
Filesize
53KB
MD514206e540666ffcc09de504886640b65
SHA19071d11b69ad08537fcb5e430650422c1780464d
SHA256b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7
SHA5128dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679
-
Filesize
53KB
MD514206e540666ffcc09de504886640b65
SHA19071d11b69ad08537fcb5e430650422c1780464d
SHA256b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7
SHA5128dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679