239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a

General

Target

239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe
Size

942KB
MD5

a92015618b79adee683000eaaaa30c83
SHA1

fd2c04199f3e58c13bd2876bf38702ba3f172f75
SHA256

239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a
SHA512

5a82b48b223b6aa518aca74e2b6342045436e483f3a82c57d1ba236b257ce1c80a826e345a0b600796a0164e55a2d286f5b2e0183ef0662b8e96e89d173faa65

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

BKIVNA.exeBKIVNA.exe

pid process

3868 BKIVNA.exe
5000 BKIVNA.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1508-127-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral2/memory/1508-129-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

BKIVNA.exe

description pid process target process

PID 3868 set thread context of 1508 3868 BKIVNA.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4388 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3632 timeout.exe

description	pid	process	target process
PID 3868 set thread context of 1508	3868	BKIVNA.exe	explorer.exe

pid	process
4388	schtasks.exe

pid	process
3632	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BKIVNA.exe

pid	process
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe
3868	BKIVNA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exeBKIVNA.exe

description	pid	process
Token: SeDebugPrivilege	2548	239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe
Token: SeDebugPrivilege	3868	BKIVNA.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.execmd.exeBKIVNA.execmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 2764	2548	239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe	cmd.exe
PID 2548 wrote to memory of 2764	2548	239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe	cmd.exe
PID 2764 wrote to memory of 3632	2764	cmd.exe	timeout.exe
PID 2764 wrote to memory of 3632	2764	cmd.exe	timeout.exe
PID 2764 wrote to memory of 3868	2764	cmd.exe	BKIVNA.exe
PID 2764 wrote to memory of 3868	2764	cmd.exe	BKIVNA.exe
PID 3868 wrote to memory of 4220	3868	BKIVNA.exe	cmd.exe
PID 3868 wrote to memory of 4220	3868	BKIVNA.exe	cmd.exe
PID 4220 wrote to memory of 4388	4220	cmd.exe	schtasks.exe
PID 4220 wrote to memory of 4388	4220	cmd.exe	schtasks.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe
PID 3868 wrote to memory of 1508	3868	BKIVNA.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe
"C:\Users\Admin\AppData\Local\Temp\239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp78AF.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3632

C:\ProgramData\win32\BKIVNA.exe
"C:\ProgramData\win32\BKIVNA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "BKIVNA" /tr "C:\ProgramData\win32\BKIVNA.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "BKIVNA" /tr "C:\ProgramData\win32\BKIVNA.exe"
5⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\explorer.exe
C:\Windows\explorer.exe --algo ETHASH --pool eth.2miners.com:2020 --user 0xd3e33ee5d3c0be3da5f6a9516fd52bc9a877677b.RIGA_1
4⤵
PID:1508

C:\ProgramData\win32\BKIVNA.exe
C:\ProgramData\win32\BKIVNA.exe
1⤵
- Executes dropped EXE
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\win32\BKIVNA.exe
Filesize
942KB

MD5
a92015618b79adee683000eaaaa30c83

SHA1
fd2c04199f3e58c13bd2876bf38702ba3f172f75

SHA256
239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a

SHA512
5a82b48b223b6aa518aca74e2b6342045436e483f3a82c57d1ba236b257ce1c80a826e345a0b600796a0164e55a2d286f5b2e0183ef0662b8e96e89d173faa65

Download Submit
C:\ProgramData\win32\BKIVNA.exe
Filesize
942KB

MD5
a92015618b79adee683000eaaaa30c83

SHA1
fd2c04199f3e58c13bd2876bf38702ba3f172f75

SHA256
239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a

SHA512
5a82b48b223b6aa518aca74e2b6342045436e483f3a82c57d1ba236b257ce1c80a826e345a0b600796a0164e55a2d286f5b2e0183ef0662b8e96e89d173faa65

Download Submit
C:\ProgramData\win32\BKIVNA.exe
Filesize
942KB

MD5
a92015618b79adee683000eaaaa30c83

SHA1
fd2c04199f3e58c13bd2876bf38702ba3f172f75

SHA256
239188ccb58064385d07c0f11ff848cbf605f040f51a06dc102e78f7b2b3d17a

SHA512
5a82b48b223b6aa518aca74e2b6342045436e483f3a82c57d1ba236b257ce1c80a826e345a0b600796a0164e55a2d286f5b2e0183ef0662b8e96e89d173faa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78AF.tmp.bat
Filesize
140B

MD5
8f65663511fed6cc12369bbfcd2f4c4a

SHA1
7dbe34d6757386e9b0d05a631a9568154a4b9695

SHA256
2676d1f8472ac3a359724e2e09ac72e669b435346abd7438c0f1179ff1e12462

SHA512
24fce0619ac3501d8494798ce86604f18afa451903ef6dac2b73a42c16f72316e54c2d72508c1a9798317a1789c035ce2137537a06fe2db7169daaf63732f171

Download Submit
memory/1508-127-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1508-128-0x0000000142EFC000-mapping.dmp

Download
memory/1508-129-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/2548-118-0x0000000000C80000-0x0000000000D70000-memory.dmp

Filesize
960KB

Download
memory/2764-119-0x0000000000000000-mapping.dmp

Download
memory/3632-121-0x0000000000000000-mapping.dmp

Download
memory/3868-122-0x0000000000000000-mapping.dmp

Download
memory/4220-125-0x0000000000000000-mapping.dmp

Download
memory/4388-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads