63a2cf1974d0bf8d1e4e6893805af12437b36d4a6d99f5cb7bf63ef018cf1b43

General

Target

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
Size

13.7MB
MD5

3e99dc8e377a6de9b292d8c9a9acaec1
SHA1

4c42c95a282ca0543eeca9eb67747025f7f06f7f
SHA256

63a2cf1974d0bf8d1e4e6893805af12437b36d4a6d99f5cb7bf63ef018cf1b43
SHA512

efef5e8a5c412ed8b242aece45b292a8b7b09ade3023d8bc7da381cc1464ad286d209e7c6856b0c629f679fbd1e36cb0d0a56abe997eab3e745ea5fbe9d1ae6b
SSDEEP

196608:rk/Pa6XsTCW5xfwLIbJsv6tWKFdu9C+hp:rkLyZ6IbJsv6tWKFdu9Cg

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

description ioc process

File opened for modification C:\Windows\pThreadInformationWow64.dll 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

pid process

2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\pThreadInformationWow64.dll	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

pid	process
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	544	wmic.exe
Token: SeSecurityPrivilege	544	wmic.exe
Token: SeTakeOwnershipPrivilege	544	wmic.exe
Token: SeLoadDriverPrivilege	544	wmic.exe
Token: SeSystemProfilePrivilege	544	wmic.exe
Token: SeSystemtimePrivilege	544	wmic.exe
Token: SeProfSingleProcessPrivilege	544	wmic.exe
Token: SeIncBasePriorityPrivilege	544	wmic.exe
Token: SeCreatePagefilePrivilege	544	wmic.exe
Token: SeBackupPrivilege	544	wmic.exe
Token: SeRestorePrivilege	544	wmic.exe
Token: SeShutdownPrivilege	544	wmic.exe
Token: SeDebugPrivilege	544	wmic.exe
Token: SeSystemEnvironmentPrivilege	544	wmic.exe
Token: SeRemoteShutdownPrivilege	544	wmic.exe
Token: SeUndockPrivilege	544	wmic.exe
Token: SeManageVolumePrivilege	544	wmic.exe
Token: 33	544	wmic.exe
Token: 34	544	wmic.exe
Token: 35	544	wmic.exe
Token: 36	544	wmic.exe
Token: SeIncreaseQuotaPrivilege	544	wmic.exe
Token: SeSecurityPrivilege	544	wmic.exe
Token: SeTakeOwnershipPrivilege	544	wmic.exe
Token: SeLoadDriverPrivilege	544	wmic.exe
Token: SeSystemProfilePrivilege	544	wmic.exe
Token: SeSystemtimePrivilege	544	wmic.exe
Token: SeProfSingleProcessPrivilege	544	wmic.exe
Token: SeIncBasePriorityPrivilege	544	wmic.exe
Token: SeCreatePagefilePrivilege	544	wmic.exe
Token: SeBackupPrivilege	544	wmic.exe
Token: SeRestorePrivilege	544	wmic.exe
Token: SeShutdownPrivilege	544	wmic.exe
Token: SeDebugPrivilege	544	wmic.exe
Token: SeSystemEnvironmentPrivilege	544	wmic.exe
Token: SeRemoteShutdownPrivilege	544	wmic.exe
Token: SeUndockPrivilege	544	wmic.exe
Token: SeManageVolumePrivilege	544	wmic.exe
Token: 33	544	wmic.exe
Token: 34	544	wmic.exe
Token: 35	544	wmic.exe
Token: 36	544	wmic.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: 36	2220	wmic.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

pid process

2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

pid process

2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

pid process

2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
2176 2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe

description	pid	process	target process
PID 2176 wrote to memory of 544	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 544	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 544	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2220	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2220	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2220	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2748	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2748	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe
PID 2176 wrote to memory of 2748	2176	2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_3e99dc8e377a6de9b292d8c9a9acaec1_bkransomware.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive where index=0 get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic baseboard get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic cpu get processorid
  2⤵
  PID:2748

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads