c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
Size

68KB
MD5

0af367abe80ccd9fad889560cd635a66
SHA1

edb7258e03a73e0131ddbe7788769dc7d1e8c002
SHA256

c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f
SHA512

2793c7d80f8b69f749438e3496e35da7bedf508c526d7669bdbad6932c79888d2e2227998fa064dddca07eae5fdff9e453d320a66f48c1086d801bf5b3a54836
SSDEEP

1536:2U7Nf/O4W/v5U7DtPBC6PuHbPRV2oitU648Gt1Os7U0PFy:9BW35CRQ4ujRV2oiCl8m4sY09y

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
6	1864	rundll32.exe
23	1864	rundll32.exe
39	1864	rundll32.exe
42	1864	rundll32.exe
44	1864	rundll32.exe
47	1864	rundll32.exe
48	1864	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
364	BNSUpdata.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1188-132-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0003000000022e23-136.dat	upx
behavioral2/files/0x0003000000022e23-135.dat	upx
behavioral2/memory/1188-142-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe

Loads dropped DLL 4 IoCs

pid	Process
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
364	BNSUpdata.exe
1864	rundll32.exe
364	BNSUpdata.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCProxy.ini	rundll32.exe
File created	C:\Windows\SysWOW64\bnsspx.dll	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
656	Process not Found
364	BNSUpdata.exe
656	Process not Found
364	BNSUpdata.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
Token: SeLoadDriverPrivilege	364	BNSUpdata.exe
Token: SeLoadDriverPrivilege	364	BNSUpdata.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 364	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	83
PID 1188 wrote to memory of 364	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	83
PID 1188 wrote to memory of 364	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	83
PID 1188 wrote to memory of 1864	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	84
PID 1188 wrote to memory of 1864	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	84
PID 1188 wrote to memory of 1864	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	84
PID 1188 wrote to memory of 4136	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	85
PID 1188 wrote to memory of 4136	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	85
PID 1188 wrote to memory of 4136	1188	c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe	85

C:\Users\Admin\AppData\Local\Temp\c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe
"C:\Users\Admin\AppData\Local\Temp\c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:364
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\bnsspx.dll GetNeedSock
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\uisad.bat
  2⤵
  PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
68KB

MD5
0af367abe80ccd9fad889560cd635a66

SHA1
edb7258e03a73e0131ddbe7788769dc7d1e8c002

SHA256
c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f

SHA512
2793c7d80f8b69f749438e3496e35da7bedf508c526d7669bdbad6932c79888d2e2227998fa064dddca07eae5fdff9e453d320a66f48c1086d801bf5b3a54836

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
68KB

MD5
0af367abe80ccd9fad889560cd635a66

SHA1
edb7258e03a73e0131ddbe7788769dc7d1e8c002

SHA256
c7b4ffa34dca95cc22a4d1e845787de6a8b9c6a304c44d8a8a4fcbb303706d6f

SHA512
2793c7d80f8b69f749438e3496e35da7bedf508c526d7669bdbad6932c79888d2e2227998fa064dddca07eae5fdff9e453d320a66f48c1086d801bf5b3a54836

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\gyblack.lst

Filesize
200B

MD5
481d6d7c865294ce256158782df53347

SHA1
4faf9eb321d898bc370e7189ae42e032ff697ca8

SHA256
5e8f83ccffc3e160cd4bd73ebcd4a97207b0e202192c3638d673b4b86e139052

SHA512
cfbaf23d7b3f3f649bd16ae24c4c18a83406450f54c48334b64557c72b9d7c9c0943a0f8248796904d3ba628bc5f2cab3a54933bb1fd5e474e15045477049bca

Download Submit
\??\c:\uisad.bat

Filesize
249B

MD5
3a7e9622f5940900c7a1700c0021d0fe

SHA1
d71bf746489656a97c345337fad8760dc99445ed

SHA256
68f165369e2f7dc766198acd8b83161f19f1dcf48fa116ac162f7cdc2a032dea

SHA512
912a629740fdd1dad47a305f8b12c3b04428ba1a46b34df1ad6e5302338a4061435cd5efdc8b386eae36947056c156173704148c565ee6aeb4df0f1a7cc0a4e6

Download Submit
memory/1188-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download