Analysis
-
max time kernel
320s -
max time network
358s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe
Resource
win10v2004-20221111-en
General
-
Target
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe
-
Size
184KB
-
MD5
030b20510ece3ea94c4f7b346ba0fe21
-
SHA1
16ee6f910e457b28741f1395612bc284f5876232
-
SHA256
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587
-
SHA512
f5998a1a37d69bc5eec6263fb65c1c35cec9f1d4569d4e3a86c64cae801b0e22ac23f695292ca155370aaa7b9a13cadd397819cfd775e3e460d3ee38aac260f0
-
SSDEEP
3072:uJmlg+HWoYTzCh46Knvmb7/D26ytQlw/Lg5q69srijEIS3A:DGrpz6LKnvmb7/D26yQlw/Lg5qosri/j
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
bnkuf.exe39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bnkuf.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe -
Executes dropped EXE 1 IoCs
Processes:
bnkuf.exepid process 2524 bnkuf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
bnkuf.exe39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /Q" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /k" bnkuf.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /I" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /h" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /M" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /G" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /e" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /J" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /D" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /V" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /C" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /p" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /Y" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /g" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /X" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /a" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /Z" 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /r" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /d" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /n" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /F" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /z" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /t" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /v" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /x" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /o" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /w" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /T" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /L" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /N" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /b" bnkuf.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /W" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /j" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /c" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /E" bnkuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkuf = "C:\\Users\\Admin\\bnkuf.exe /A" bnkuf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exebnkuf.exepid process 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe 2524 bnkuf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exebnkuf.exepid process 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe 2524 bnkuf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exedescription pid process target process PID 5020 wrote to memory of 2524 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe bnkuf.exe PID 5020 wrote to memory of 2524 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe bnkuf.exe PID 5020 wrote to memory of 2524 5020 39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe bnkuf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe"C:\Users\Admin\AppData\Local\Temp\39578ea855532ce700133663f0d63cd2b758059c12e95aaf0ab915eefac89587.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bnkuf.exe"C:\Users\Admin\bnkuf.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\bnkuf.exeFilesize
184KB
MD59da016a973b02f477c9ca0d0c044388b
SHA11b3697ad51e5e44d9e89d6ea907eb6ad3f9c7018
SHA25694e8835fe9da166b804c40fd6ac233535f76d76827c665074749f13276f3db32
SHA5126d8215cb14747d654536c9b968e74bbf53d201048b650c301a1d0d06d134c6517d8514215d012596f2db6d76651d3388e6a8e8473c9329eccfb49c68e871f6f8
-
C:\Users\Admin\bnkuf.exeFilesize
184KB
MD59da016a973b02f477c9ca0d0c044388b
SHA11b3697ad51e5e44d9e89d6ea907eb6ad3f9c7018
SHA25694e8835fe9da166b804c40fd6ac233535f76d76827c665074749f13276f3db32
SHA5126d8215cb14747d654536c9b968e74bbf53d201048b650c301a1d0d06d134c6517d8514215d012596f2db6d76651d3388e6a8e8473c9329eccfb49c68e871f6f8
-
memory/2524-134-0x0000000000000000-mapping.dmp