51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b

Analysis

max time kernel
154s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
Size

95KB
MD5

969f2147db955251001dad65f57a7466
SHA1

9d6ecd678f301961cc2258e1ffab110621e303ca
SHA256

51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b
SHA512

6f170529d119f5a0c0bc7d6bbd3385980bcf7c3252b8714409b48c6e0d6ea5bf667cb0455246ddaf0ae80a7187a0889d2da55956c99089dc315e1df6b745ff2d
SSDEEP

1536:y6GQjirJO7cPLKGQHdT0nyerJXaXjJHTkNNbwyM50PK:/Gd3WnV0nd16tcmyM50C

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1668	BNSUpdata.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-55-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/560-57-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000a00000001232e-58.dat	upx
behavioral1/memory/560-59-0x0000000002580000-0x000000000259A000-memory.dmp	upx
behavioral1/files/0x000a00000001232e-60.dat	upx
behavioral1/files/0x000a00000001232e-62.dat	upx

Deletes itself 1 IoCs

pid	Process
1584	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
1668	BNSUpdata.exe
1668	BNSUpdata.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
464	Process not Found
1668	BNSUpdata.exe
464	Process not Found
1668	BNSUpdata.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
Token: SeLoadDriverPrivilege	1668	BNSUpdata.exe
Token: SeLoadDriverPrivilege	1668	BNSUpdata.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1668	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	28
PID 560 wrote to memory of 1668	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	28
PID 560 wrote to memory of 1668	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	28
PID 560 wrote to memory of 1668	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	28
PID 560 wrote to memory of 1584	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	29
PID 560 wrote to memory of 1584	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	29
PID 560 wrote to memory of 1584	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	29
PID 560 wrote to memory of 1584	560	51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe	29

C:\Users\Admin\AppData\Local\Temp\51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe
"C:\Users\Admin\AppData\Local\Temp\51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\uisad.bat
  2⤵
  - Deletes itself
  PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
95KB

MD5
969f2147db955251001dad65f57a7466

SHA1
9d6ecd678f301961cc2258e1ffab110621e303ca

SHA256
51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b

SHA512
6f170529d119f5a0c0bc7d6bbd3385980bcf7c3252b8714409b48c6e0d6ea5bf667cb0455246ddaf0ae80a7187a0889d2da55956c99089dc315e1df6b745ff2d

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
64KB

MD5
abda06319d5c51bc018167656bccc8cb

SHA1
c7ea67d67031c89c5d4471fa69f9b428b2764265

SHA256
7f4e87290708ccf6f50ee12a05361fcddfa2699fdc19cf607eb1e49d83979186

SHA512
24198bfc639caf6b860101e616912f8d752db55369f0e6109e8c830fca1018f9a6d96e4e6f117d4c98869384bc303716ae2f5fee6c96a8a76b9e6549e7becb79

Download Submit
C:\Windows\SysWOW64\gyblack.lst

Filesize
200B

MD5
de5f8b50f4779d09ab42196cd67ff6e7

SHA1
980e36a64669405a9457ec22fe97118e4901cc5d

SHA256
29ce4dbf8d6c50513ceff91714e6432438923a5dd2d3d228c7f8341954382607

SHA512
e2e6edc2f89409be015246fcacbafa584866b542846635f6eb54ae4039e5ef127f30676dd8d5d68c14bb8c485fdd835ca15b89ffcf80ec3600ae72aa66fd948d

Download Submit
\??\c:\uisad.bat

Filesize
249B

MD5
fa9bed839a1048f78ee9bc10c908df06

SHA1
04ec826e7fe744e453f16424c7b5bfa9ae3bb462

SHA256
743b19d609b1ba9411a5bb79e29dd942a7527ac2053e0d7243b234468b48d3ac

SHA512
188d1a67201ce6323303ccbf6cf670fe9f6ab4c85c95b5c4b6a3c713843cf239aa6a88fec8c0edc8cbb9e0a74fb19540e0dc41a3042e784359277444316470fa

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
95KB

MD5
969f2147db955251001dad65f57a7466

SHA1
9d6ecd678f301961cc2258e1ffab110621e303ca

SHA256
51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b

SHA512
6f170529d119f5a0c0bc7d6bbd3385980bcf7c3252b8714409b48c6e0d6ea5bf667cb0455246ddaf0ae80a7187a0889d2da55956c99089dc315e1df6b745ff2d

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
95KB

MD5
969f2147db955251001dad65f57a7466

SHA1
9d6ecd678f301961cc2258e1ffab110621e303ca

SHA256
51a3c7d40aed392892e39dee952ef9350cd8656f276af2bc458599f14a0d072b

SHA512
6f170529d119f5a0c0bc7d6bbd3385980bcf7c3252b8714409b48c6e0d6ea5bf667cb0455246ddaf0ae80a7187a0889d2da55956c99089dc315e1df6b745ff2d

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
64KB

MD5
abda06319d5c51bc018167656bccc8cb

SHA1
c7ea67d67031c89c5d4471fa69f9b428b2764265

SHA256
7f4e87290708ccf6f50ee12a05361fcddfa2699fdc19cf607eb1e49d83979186

SHA512
24198bfc639caf6b860101e616912f8d752db55369f0e6109e8c830fca1018f9a6d96e4e6f117d4c98869384bc303716ae2f5fee6c96a8a76b9e6549e7becb79

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
64KB

MD5
abda06319d5c51bc018167656bccc8cb

SHA1
c7ea67d67031c89c5d4471fa69f9b428b2764265

SHA256
7f4e87290708ccf6f50ee12a05361fcddfa2699fdc19cf607eb1e49d83979186

SHA512
24198bfc639caf6b860101e616912f8d752db55369f0e6109e8c830fca1018f9a6d96e4e6f117d4c98869384bc303716ae2f5fee6c96a8a76b9e6549e7becb79

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
64KB

MD5
abda06319d5c51bc018167656bccc8cb

SHA1
c7ea67d67031c89c5d4471fa69f9b428b2764265

SHA256
7f4e87290708ccf6f50ee12a05361fcddfa2699fdc19cf607eb1e49d83979186

SHA512
24198bfc639caf6b860101e616912f8d752db55369f0e6109e8c830fca1018f9a6d96e4e6f117d4c98869384bc303716ae2f5fee6c96a8a76b9e6549e7becb79

Download Submit
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/560-59-0x0000000002580000-0x000000000259A000-memory.dmp

Filesize
104KB

Download
memory/560-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/560-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download