Analysis

  • max time kernel
    90s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2022 22:33

General

  • Target

    1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe

  • Size

    50KB

  • MD5

    0abeeb749bd8cf4d75064cae4f513810

  • SHA1

    684067cb59c6766175f9c26366b47b7ee9ad79c7

  • SHA256

    1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6

  • SHA512

    3caf3eb572439ec6a7b422b3928cb03ea7d42b2a80fb4ec0cd20ceaf886e43815668f92c9434aa778357a561a27d415700a8ca61d33e4443218133f500f50bcc

  • SSDEEP

    1536:lMzjVnRUy4HzPJz9w0v1bVdtNfkT03br1glYjdvMw:YVnHox1zf2kRgajJMw

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
    "C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\BNSUpdata.exe
      "C:\Windows\system32\BNSUpdata.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\uisad.bat
      2⤵
        PID:1284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\BNSUpdata.exe

      Filesize

      12KB

      MD5

      b3d90a2e3dbf0725cdf36285e2c57b55

      SHA1

      453028eb235e994b75383e078eba48526d6f9649

      SHA256

      48bb89cdc663d2b9b58b1bb68c6cea591a3a1974a7ca21ce6b0c0dc975ef076c

      SHA512

      69af1ee3ded177f47dc1f137cab8342d8d32830c9385b5586090d485f36c44f0e99a94052ec4cdf84f6d283ba2cceaaf54618e1fd4dba5a3385aa8ce935f5ed4

    • C:\Windows\SysWOW64\bnsspx.dll

      Filesize

      6KB

      MD5

      0b966ebac5d903cc2f437b067a21f13c

      SHA1

      7da5cd80ba35db81818c45bda24dd998a80ee394

      SHA256

      434f798967d40215cccdfef9f189f877d0b883e529b1286c13fffb5eb2074c62

      SHA512

      62ac83f1c2ca86744ddd807c7e97f4bafc79701c25c469f4368404707ab54d54ab39e1ab848b6ee16f053c5dcfda122d303344cfad88442ddba3651e86363b04

    • C:\Windows\SysWOW64\zmdll.lst

      Filesize

      200B

      MD5

      ae52aec88c6280ad7574f5d629d97826

      SHA1

      d3ffaf5afee53ef0c0447be08843870fa1366322

      SHA256

      7f292b3e59012eec430a10d530d47c3929d14e5d668b9b9e5bbf4a7bdb58a898

      SHA512

      45345cd048b5b8ecb479bbd3b0f7d90a547a2524cf5ca007f7f7789144d95f1bf294093f9070a5aed205777741f01a2a50b7b17bc5bc922a430cac7d1acf9062

    • \??\c:\uisad.bat

      Filesize

      249B

      MD5

      70237953921a8f77f96b5fce35cd90c7

      SHA1

      79678d56b3935069202856c101a255c4ca0c7c81

      SHA256

      dba9219f9e6dab54048847fbae0774e3fbf0b4c4b66e49c1f0c10f1de1999211

      SHA512

      8e9b1031d79fee714fa76b9c7f1413675448067af99b80fd9f15a5eb7930f0306fdfdd514aa5a92082f0cea40a50ec9b60b969be85f81ceb05eeffc859d32bfe

    • \Windows\SysWOW64\BNSUpdata.exe

      Filesize

      35KB

      MD5

      f68cf98ddba408f860321cb07bc33247

      SHA1

      9e9e0f250bbf0b0c0a7c89e15575e27c6481a6ac

      SHA256

      fb6c3440c845ff136718d7c4006ca1150fe830d61224acfe779f6e00a40bb342

      SHA512

      a48c4cf3eb5bf12869f4621291a66ead9ea7ec6f39d3d56cbe8a6e33f2ae9697f7b4a276de94bf9759151c488937217c5a57f5ccf552ae08c433d7091f7dc1e5

    • \Windows\SysWOW64\BNSUpdata.exe

      Filesize

      12KB

      MD5

      0262214e4adc0ce8236780a3978f16c2

      SHA1

      2bb384ccb50d898c68e738015bf33accf24969ba

      SHA256

      d1ec75aae89e80f9d3276024e9432738fa425836d377b48b6e26572e991081e8

      SHA512

      acba039cedb6be5a7fccf940a0cd9c8e080082e4fefadf8a674e37f8d29627ab2fee0571255a0f50fe76beb049677f20398c7cdf68a8324e7cb556b101fd2866

    • \Windows\SysWOW64\bnsspx.dll

      Filesize

      39KB

      MD5

      04a817574b713fed27fe5fc32885507a

      SHA1

      177ca0f2dbeb260295daf246ecdda424d59af780

      SHA256

      91d12fb16c73f4f1576d02ca1c8dc7c916217a897ff442fdeb0130e30929d5b4

      SHA512

      514f0eaa26ac6fa85e1f2b10714f1e8a0a5777a610d74c51a323eb1a80fbc69d33dce773388c832db180b5f90cb6b87a68178c3fe58422449f4c50a570e23e3a

    • \Windows\SysWOW64\bnsspx.dll

      Filesize

      43KB

      MD5

      8ba29aa33e5225906df9d4f9576397be

      SHA1

      fb8030abd28d88e3e8d2be34de6b3ca2a4fe7f1c

      SHA256

      de26445007afe052a19b255d8ca3a4649e02556f428d7bc15ceaaef00651ee54

      SHA512

      28b067682191ee49f5effc0d8447b6bbe22c4f949f7708640c3f893ecac42ce028fc66b6cf7bb110b2032854fb72d39eb84c902129e1bff512c302386f2af944

    • memory/1284-64-0x0000000000000000-mapping.dmp

    • memory/1872-57-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/1872-59-0x0000000000590000-0x00000000005A6000-memory.dmp

      Filesize

      88KB

    • memory/1872-55-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/1872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

      Filesize

      8KB

    • memory/1940-61-0x0000000000000000-mapping.dmp