1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6

General

Target

1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
Size

50KB
MD5

0abeeb749bd8cf4d75064cae4f513810
SHA1

684067cb59c6766175f9c26366b47b7ee9ad79c7
SHA256

1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6
SHA512

3caf3eb572439ec6a7b422b3928cb03ea7d42b2a80fb4ec0cd20ceaf886e43815668f92c9434aa778357a561a27d415700a8ca61d33e4443218133f500f50bcc
SSDEEP

1536:lMzjVnRUy4HzPJz9w0v1bVdtNfkT03br1glYjdvMw:YVnHox1zf2kRgajJMw

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	BNSUpdata.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1872-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/files/0x0007000000015602-58.dat	upx
behavioral1/memory/1872-59-0x0000000000590000-0x00000000005A6000-memory.dmp	upx
behavioral1/files/0x0007000000015602-62.dat	upx
behavioral1/files/0x0007000000015602-60.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1940	BNSUpdata.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bnsspx.dll	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
464	Process not Found
1940	BNSUpdata.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
Token: SeLoadDriverPrivilege	1940	BNSUpdata.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1940	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	27
PID 1872 wrote to memory of 1940	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	27
PID 1872 wrote to memory of 1940	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	27
PID 1872 wrote to memory of 1940	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	27
PID 1872 wrote to memory of 1284	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	29
PID 1872 wrote to memory of 1284	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	29
PID 1872 wrote to memory of 1284	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	29
PID 1872 wrote to memory of 1284	1872	1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe	29

C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
"C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\uisad.bat
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
12KB

MD5
b3d90a2e3dbf0725cdf36285e2c57b55

SHA1
453028eb235e994b75383e078eba48526d6f9649

SHA256
48bb89cdc663d2b9b58b1bb68c6cea591a3a1974a7ca21ce6b0c0dc975ef076c

SHA512
69af1ee3ded177f47dc1f137cab8342d8d32830c9385b5586090d485f36c44f0e99a94052ec4cdf84f6d283ba2cceaaf54618e1fd4dba5a3385aa8ce935f5ed4

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
6KB

MD5
0b966ebac5d903cc2f437b067a21f13c

SHA1
7da5cd80ba35db81818c45bda24dd998a80ee394

SHA256
434f798967d40215cccdfef9f189f877d0b883e529b1286c13fffb5eb2074c62

SHA512
62ac83f1c2ca86744ddd807c7e97f4bafc79701c25c469f4368404707ab54d54ab39e1ab848b6ee16f053c5dcfda122d303344cfad88442ddba3651e86363b04

Download Submit
C:\Windows\SysWOW64\zmdll.lst

Filesize
200B

MD5
ae52aec88c6280ad7574f5d629d97826

SHA1
d3ffaf5afee53ef0c0447be08843870fa1366322

SHA256
7f292b3e59012eec430a10d530d47c3929d14e5d668b9b9e5bbf4a7bdb58a898

SHA512
45345cd048b5b8ecb479bbd3b0f7d90a547a2524cf5ca007f7f7789144d95f1bf294093f9070a5aed205777741f01a2a50b7b17bc5bc922a430cac7d1acf9062

Download Submit
\??\c:\uisad.bat

Filesize
249B

MD5
70237953921a8f77f96b5fce35cd90c7

SHA1
79678d56b3935069202856c101a255c4ca0c7c81

SHA256
dba9219f9e6dab54048847fbae0774e3fbf0b4c4b66e49c1f0c10f1de1999211

SHA512
8e9b1031d79fee714fa76b9c7f1413675448067af99b80fd9f15a5eb7930f0306fdfdd514aa5a92082f0cea40a50ec9b60b969be85f81ceb05eeffc859d32bfe

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
35KB

MD5
f68cf98ddba408f860321cb07bc33247

SHA1
9e9e0f250bbf0b0c0a7c89e15575e27c6481a6ac

SHA256
fb6c3440c845ff136718d7c4006ca1150fe830d61224acfe779f6e00a40bb342

SHA512
a48c4cf3eb5bf12869f4621291a66ead9ea7ec6f39d3d56cbe8a6e33f2ae9697f7b4a276de94bf9759151c488937217c5a57f5ccf552ae08c433d7091f7dc1e5

Download Submit
\Windows\SysWOW64\BNSUpdata.exe

Filesize
12KB

MD5
0262214e4adc0ce8236780a3978f16c2

SHA1
2bb384ccb50d898c68e738015bf33accf24969ba

SHA256
d1ec75aae89e80f9d3276024e9432738fa425836d377b48b6e26572e991081e8

SHA512
acba039cedb6be5a7fccf940a0cd9c8e080082e4fefadf8a674e37f8d29627ab2fee0571255a0f50fe76beb049677f20398c7cdf68a8324e7cb556b101fd2866

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
39KB

MD5
04a817574b713fed27fe5fc32885507a

SHA1
177ca0f2dbeb260295daf246ecdda424d59af780

SHA256
91d12fb16c73f4f1576d02ca1c8dc7c916217a897ff442fdeb0130e30929d5b4

SHA512
514f0eaa26ac6fa85e1f2b10714f1e8a0a5777a610d74c51a323eb1a80fbc69d33dce773388c832db180b5f90cb6b87a68178c3fe58422449f4c50a570e23e3a

Download Submit
\Windows\SysWOW64\bnsspx.dll

Filesize
43KB

MD5
8ba29aa33e5225906df9d4f9576397be

SHA1
fb8030abd28d88e3e8d2be34de6b3ca2a4fe7f1c

SHA256
de26445007afe052a19b255d8ca3a4649e02556f428d7bc15ceaaef00651ee54

SHA512
28b067682191ee49f5effc0d8447b6bbe22c4f949f7708640c3f893ecac42ce028fc66b6cf7bb110b2032854fb72d39eb84c902129e1bff512c302386f2af944

Download Submit
memory/1872-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1872-59-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1872-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing