925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3

Analysis

max time kernel
155s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
Size

68KB
MD5

13015e73d83fae150ba2ff8f3039b5d1
SHA1

7713490785e66a13671e480435fb560e702cfd47
SHA256

925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3
SHA512

85fa25bd8cfef27f8a4f2eae0597cfaf2f889ce24babb664081cea81387641600a95e2c5237d168c3e420eff979b42b29c3095d389c2b2fa67aadb7d980b998d
SSDEEP

1536:ZU7Nf/O4W/v5U7DtPBC6PuHbPRV2oitU648Gt1Os7U0PFy:mBW35CRQ4ujRV2oiCl8m4sY09y

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	4612	rundll32.exe
25	4612	rundll32.exe
46	4612	rundll32.exe
56	4612	rundll32.exe
66	4612	rundll32.exe
81	4612	rundll32.exe
92	4612	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	BNSUpdata.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2284-132-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e0d-135.dat	upx
behavioral2/files/0x0006000000022e0d-136.dat	upx
behavioral2/memory/2284-142-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe

Loads dropped DLL 4 IoCs

pid	Process
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
1980	BNSUpdata.exe
4612	rundll32.exe
1980	BNSUpdata.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCProxy.ini	rundll32.exe
File created	C:\Windows\SysWOW64\bnsspx.dll	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
File created	C:\Windows\SysWOW64\BNSUpdata.exe	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
File opened for modification	C:\Windows\SysWOW64\BNSUpdata.exe	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
File opened for modification	C:\Windows\SysWOW64\gyblack.lst	BNSUpdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
652	Process not Found
1980	BNSUpdata.exe
652	Process not Found
1980	BNSUpdata.exe
652	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
Token: SeLoadDriverPrivilege	1980	BNSUpdata.exe
Token: SeLoadDriverPrivilege	1980	BNSUpdata.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1980	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	80
PID 2284 wrote to memory of 1980	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	80
PID 2284 wrote to memory of 1980	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	80
PID 2284 wrote to memory of 4612	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	81
PID 2284 wrote to memory of 4612	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	81
PID 2284 wrote to memory of 4612	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	81
PID 2284 wrote to memory of 4512	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	82
PID 2284 wrote to memory of 4512	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	82
PID 2284 wrote to memory of 4512	2284	925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe	82

C:\Users\Admin\AppData\Local\Temp\925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe
"C:\Users\Admin\AppData\Local\Temp\925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\BNSUpdata.exe
  "C:\Windows\system32\BNSUpdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\bnsspx.dll GetNeedSock
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\uisad.bat
  2⤵
  PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
68KB

MD5
13015e73d83fae150ba2ff8f3039b5d1

SHA1
7713490785e66a13671e480435fb560e702cfd47

SHA256
925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3

SHA512
85fa25bd8cfef27f8a4f2eae0597cfaf2f889ce24babb664081cea81387641600a95e2c5237d168c3e420eff979b42b29c3095d389c2b2fa67aadb7d980b998d

Download Submit
C:\Windows\SysWOW64\BNSUpdata.exe

Filesize
68KB

MD5
13015e73d83fae150ba2ff8f3039b5d1

SHA1
7713490785e66a13671e480435fb560e702cfd47

SHA256
925832766850811ce131aea2017576b3bd8468b5ab7aa2a2cf34d115f3d3f1d3

SHA512
85fa25bd8cfef27f8a4f2eae0597cfaf2f889ce24babb664081cea81387641600a95e2c5237d168c3e420eff979b42b29c3095d389c2b2fa67aadb7d980b998d

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\bnsspx.dll

Filesize
74KB

MD5
978ce2cd482c7f340f053c4321699b73

SHA1
559aaace48de70182b73bd7a0c8e8e4312aced92

SHA256
401921bae69e5e5158f231f3c3abd0878302ad124ca29c4d5859c26356954f3e

SHA512
df352a4275b0e05aa7538f761d2480999e0361bf958a9426733d2ec487a8714201632bb9832a5fee3263c83c8aafacce0aa163f1deed2b329361b009d1cea9ba

Download Submit
C:\Windows\SysWOW64\gyblack.lst

Filesize
200B

MD5
481d6d7c865294ce256158782df53347

SHA1
4faf9eb321d898bc370e7189ae42e032ff697ca8

SHA256
5e8f83ccffc3e160cd4bd73ebcd4a97207b0e202192c3638d673b4b86e139052

SHA512
cfbaf23d7b3f3f649bd16ae24c4c18a83406450f54c48334b64557c72b9d7c9c0943a0f8248796904d3ba628bc5f2cab3a54933bb1fd5e474e15045477049bca

Download Submit
\??\c:\uisad.bat

Filesize
249B

MD5
a03cb6506ea8cea9c0d8da9308236d0f

SHA1
d3d4f7349f0180152e8cd699000ed03014755567

SHA256
a48c41b12ec6db3f2bf3c763742b0e3c21376014845870f5710558b0b8de15c0

SHA512
a97abe3af5ce78108871de7f72d412c2b519cb0d3a5e50d22a29cd6ecf199f1373e025b458d79795ddf6fa16549ce81660d36dcd61729c9bbf53a78299a9911c

Download Submit
memory/2284-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download