Analysis
-
max time kernel
90s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 22:33
Behavioral task
behavioral1
Sample
1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
Resource
win10v2004-20220812-en
General
-
Target
1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe
-
Size
50KB
-
MD5
0abeeb749bd8cf4d75064cae4f513810
-
SHA1
684067cb59c6766175f9c26366b47b7ee9ad79c7
-
SHA256
1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6
-
SHA512
3caf3eb572439ec6a7b422b3928cb03ea7d42b2a80fb4ec0cd20ceaf886e43815668f92c9434aa778357a561a27d415700a8ca61d33e4443218133f500f50bcc
-
SSDEEP
1536:lMzjVnRUy4HzPJz9w0v1bVdtNfkT03br1glYjdvMw:YVnHox1zf2kRgajJMw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1940 BNSUpdata.exe -
resource yara_rule behavioral1/memory/1872-55-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/1872-57-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0007000000015602-58.dat upx behavioral1/memory/1872-59-0x0000000000590000-0x00000000005A6000-memory.dmp upx behavioral1/files/0x0007000000015602-62.dat upx behavioral1/files/0x0007000000015602-60.dat upx -
Loads dropped DLL 4 IoCs
pid Process 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1940 BNSUpdata.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\bnsspx.dll 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe File created C:\Windows\SysWOW64\BNSUpdata.exe 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe File opened for modification C:\Windows\SysWOW64\BNSUpdata.exe 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst BNSUpdata.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 464 Process not Found 1940 BNSUpdata.exe 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe Token: SeLoadDriverPrivilege 1940 BNSUpdata.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1872 wrote to memory of 1940 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 27 PID 1872 wrote to memory of 1940 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 27 PID 1872 wrote to memory of 1940 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 27 PID 1872 wrote to memory of 1940 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 27 PID 1872 wrote to memory of 1284 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 29 PID 1872 wrote to memory of 1284 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 29 PID 1872 wrote to memory of 1284 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 29 PID 1872 wrote to memory of 1284 1872 1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe"C:\Users\Admin\AppData\Local\Temp\1ef5cb4c65436c36dd0f16aebb028496d60ed6047c41514bf86762d1916f10a6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\BNSUpdata.exe"C:\Windows\system32\BNSUpdata.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\uisad.bat2⤵PID:1284
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5b3d90a2e3dbf0725cdf36285e2c57b55
SHA1453028eb235e994b75383e078eba48526d6f9649
SHA25648bb89cdc663d2b9b58b1bb68c6cea591a3a1974a7ca21ce6b0c0dc975ef076c
SHA51269af1ee3ded177f47dc1f137cab8342d8d32830c9385b5586090d485f36c44f0e99a94052ec4cdf84f6d283ba2cceaaf54618e1fd4dba5a3385aa8ce935f5ed4
-
Filesize
6KB
MD50b966ebac5d903cc2f437b067a21f13c
SHA17da5cd80ba35db81818c45bda24dd998a80ee394
SHA256434f798967d40215cccdfef9f189f877d0b883e529b1286c13fffb5eb2074c62
SHA51262ac83f1c2ca86744ddd807c7e97f4bafc79701c25c469f4368404707ab54d54ab39e1ab848b6ee16f053c5dcfda122d303344cfad88442ddba3651e86363b04
-
Filesize
200B
MD5ae52aec88c6280ad7574f5d629d97826
SHA1d3ffaf5afee53ef0c0447be08843870fa1366322
SHA2567f292b3e59012eec430a10d530d47c3929d14e5d668b9b9e5bbf4a7bdb58a898
SHA51245345cd048b5b8ecb479bbd3b0f7d90a547a2524cf5ca007f7f7789144d95f1bf294093f9070a5aed205777741f01a2a50b7b17bc5bc922a430cac7d1acf9062
-
Filesize
249B
MD570237953921a8f77f96b5fce35cd90c7
SHA179678d56b3935069202856c101a255c4ca0c7c81
SHA256dba9219f9e6dab54048847fbae0774e3fbf0b4c4b66e49c1f0c10f1de1999211
SHA5128e9b1031d79fee714fa76b9c7f1413675448067af99b80fd9f15a5eb7930f0306fdfdd514aa5a92082f0cea40a50ec9b60b969be85f81ceb05eeffc859d32bfe
-
Filesize
35KB
MD5f68cf98ddba408f860321cb07bc33247
SHA19e9e0f250bbf0b0c0a7c89e15575e27c6481a6ac
SHA256fb6c3440c845ff136718d7c4006ca1150fe830d61224acfe779f6e00a40bb342
SHA512a48c4cf3eb5bf12869f4621291a66ead9ea7ec6f39d3d56cbe8a6e33f2ae9697f7b4a276de94bf9759151c488937217c5a57f5ccf552ae08c433d7091f7dc1e5
-
Filesize
12KB
MD50262214e4adc0ce8236780a3978f16c2
SHA12bb384ccb50d898c68e738015bf33accf24969ba
SHA256d1ec75aae89e80f9d3276024e9432738fa425836d377b48b6e26572e991081e8
SHA512acba039cedb6be5a7fccf940a0cd9c8e080082e4fefadf8a674e37f8d29627ab2fee0571255a0f50fe76beb049677f20398c7cdf68a8324e7cb556b101fd2866
-
Filesize
39KB
MD504a817574b713fed27fe5fc32885507a
SHA1177ca0f2dbeb260295daf246ecdda424d59af780
SHA25691d12fb16c73f4f1576d02ca1c8dc7c916217a897ff442fdeb0130e30929d5b4
SHA512514f0eaa26ac6fa85e1f2b10714f1e8a0a5777a610d74c51a323eb1a80fbc69d33dce773388c832db180b5f90cb6b87a68178c3fe58422449f4c50a570e23e3a
-
Filesize
43KB
MD58ba29aa33e5225906df9d4f9576397be
SHA1fb8030abd28d88e3e8d2be34de6b3ca2a4fe7f1c
SHA256de26445007afe052a19b255d8ca3a4649e02556f428d7bc15ceaaef00651ee54
SHA51228b067682191ee49f5effc0d8447b6bbe22c4f949f7708640c3f893ecac42ce028fc66b6cf7bb110b2032854fb72d39eb84c902129e1bff512c302386f2af944