Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe
Resource
win7-20231129-en
General
-
Target
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe
-
Size
1017KB
-
MD5
08370bcfc3434469490a0f912034125d
-
SHA1
66fa7745d8bb160aba2495a433b64f6e4f58f991
-
SHA256
5abc60b9d85e86399d31d3d5e5619d179409baf8c0b73743740cb7962c65e218
-
SHA512
9c3db5994ac62a5a025f16b20e14f5a2b4a8e0b26c2bbbc9f94aaae5d220226b4d2d7aefb9010e8bf96afb03da790a0ddb8b7d51bd1bcc3e885ecc5a8a387262
-
SSDEEP
12288:t2lWRP5hA9PRWg9wU5VFWwHiC4mxYr8PCAwQy3KVMsMWsYNv+0kHe/6eZ0hW4:t2lm54R+wH/BYcCAwQEKesf/NmLeiTd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alg.exepid process 476 2852 alg.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe -
Drops file in Windows directory 1 IoCs
Processes:
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exedescription pid process Token: SeTakeOwnershipPrivilege 2360 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exepid process 2360 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe 2360 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe 2360 2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_08370bcfc3434469490a0f912034125d_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2852
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\System32\alg.exeFilesize
644KB
MD5b48a3bd8bc5567246d82224d1f2f6bb9
SHA1a4910949f112dd7507c816d5a762fe6f21f90b24
SHA25605099e79d746d1e5f95b7c79e122cd4f44f01089e597ecc2384bb58e695b23a2
SHA512a1cc5a9615bb3361b95efcc1cb499ec87c4d1a6455978ca6b58e095fa6a2a1246c54d1b3e4e88dd13445dcecec624ba47ff52e59e63f534c9fbc0b72fad9710e
-
memory/2360-0-0x0000000000400000-0x0000000000506000-memory.dmpFilesize
1.0MB
-
memory/2360-6-0x0000000000300000-0x0000000000367000-memory.dmpFilesize
412KB
-
memory/2360-2-0x0000000000300000-0x0000000000367000-memory.dmpFilesize
412KB
-
memory/2360-15-0x0000000000400000-0x0000000000506000-memory.dmpFilesize
1.0MB
-
memory/2852-12-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2852-16-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB