e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

Analysis

max time kernel
161s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Size

50KB
MD5

2b031d786f4075bf4b064e80aff443e0
SHA1

a0bea145b57ad9e084cc5698a437ba670d14b4ef
SHA256

e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1
SHA512

e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f
SSDEEP

1536:/KzjVnIEhZz0yFki1S+W498UOjhGuRvAd6:kVnBhZz0y7o+W6AhGw+6

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.2b031d786f4075bf4b064e80aff443e0.exe

Executes dropped EXE 1 IoCs

pid	Process
3640	BNSUpdata.exe

Loads dropped DLL 3 IoCs

pid	Process
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
3640	BNSUpdata.exe
3640	BNSUpdata.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4664-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x00080000000230a3-9.dat	upx
behavioral2/files/0x00080000000230a3-11.dat	upx
behavioral2/files/0x00080000000230a3-13.dat	upx
behavioral2/memory/4664-19-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
680	Process not Found
3640	BNSUpdata.exe
680	Process not Found
3640	BNSUpdata.exe
680	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe
Token: SeLoadDriverPrivilege	3640	BNSUpdata.exe
Token: SeLoadDriverPrivilege	3640	BNSUpdata.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3640	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	87
PID 4664 wrote to memory of 3640	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	87
PID 4664 wrote to memory of 3640	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	87
PID 4664 wrote to memory of 3760	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	88
PID 4664 wrote to memory of 3760	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	88
PID 4664 wrote to memory of 3760	4664	NEAS.2b031d786f4075bf4b064e80aff443e0.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2b031d786f4075bf4b064e80aff443e0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\uisad.bat
  2⤵
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
50KB

MD5
2b031d786f4075bf4b064e80aff443e0

SHA1
a0bea145b57ad9e084cc5698a437ba670d14b4ef

SHA256
e3d89d5f4fa5a0408636a04612124c2f017df3a0da1417cdd337c1f25eb68ba1

SHA512
e8e0150d0c2138e537f930f0cd54af020d6f1152080814f46e9bf5ee48da0e4ef7c2577be419610ad91c20a41ca4d268bd1bfb3d60415741271256cfa36a2f3f

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
53KB

MD5
14206e540666ffcc09de504886640b65

SHA1
9071d11b69ad08537fcb5e430650422c1780464d

SHA256
b6e8d6a6a0b121be080032293088a83461689603af9b38bfeb1ee68ee01aa1f7

SHA512
8dc4ce91fe9593d25e0c381f50d84e7fa67fb95a24faf6f425d990f7c998b472e7f10c5bf9b2fe7d57b0feefad4aa572e596857da9f3d6642151ef66593be679

Download Submit
C:\Windows\SysWOW64\zmdll.lst

Filesize
200B

MD5
481d6d7c865294ce256158782df53347

SHA1
4faf9eb321d898bc370e7189ae42e032ff697ca8

SHA256
5e8f83ccffc3e160cd4bd73ebcd4a97207b0e202192c3638d673b4b86e139052

SHA512
cfbaf23d7b3f3f649bd16ae24c4c18a83406450f54c48334b64557c72b9d7c9c0943a0f8248796904d3ba628bc5f2cab3a54933bb1fd5e474e15045477049bca

Download Submit
\??\c:\uisad.bat

Filesize
195B

MD5
040064a2747fd264de659681fc9aff8c

SHA1
1dbbceb46a732b27a8416264f04ecb4bdac54752

SHA256
b09b983e0781ce4f88c432ce794618255f441705a915ae390539fee60803c329

SHA512
72f63417cfbbe3df5fd2cf5cca3a66ef204d1399c7aa1986bfb9f4ccc5cadb2491179fe062a62327f9a864faaabcaf07bffb0f7ceaa23b9e7f178a03718d19b9

Download Submit
memory/4664-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4664-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download