Analysis Overview
SHA256
23ab7d46bb36d982290c9b5b836bf214c1619a8663a1b8984113103c89832c56
Threat Level: Likely benign
The file 2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 07:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 07:09
Reported
2024-06-08 07:11
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | remote.payroll-us.com | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 8.8.8.8:53 | remote.payroll-us.com | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\TMSetup.txt
| MD5 | 818ad96f10bcdc2ca3dd1b5ca8c21f70 |
| SHA1 | c010ee39153952635fbc54af5c60ec85abd94239 |
| SHA256 | 1f02d2bb43dc321b41276a8e63c0c6e767bbcfc6efd941f592db150159414df1 |
| SHA512 | 84b463f49c6c5e501f6f570ae6be8bcf0c2d0b28596ca91ef8f327294d583783ffc950cada6aeb5dc9e93b170a39403c76fa2dacf7aba0dba66a8a7c4654e57b |
C:\Users\Admin\AppData\Local\Temp\TMSetup.txt
| MD5 | d93cec6b66214bac893d246e0af30fb4 |
| SHA1 | 91bed9f06611b40db89dba4a30e418836789e37d |
| SHA256 | f51a5d314775d3e99ca90be2f29df9ccba815371b8a6cec38f4fbf7239b842f4 |
| SHA512 | bcfcbaa258aca14fd1bb2b5a9feb4585dae3020c3176ed385c93e6cf6855943df736e205fd55009822f0517117077081fd3ae632e97923e7d635b3503dc64015 |
C:\Users\Admin\AppData\Local\Temp\TMSetup.txt
| MD5 | 8aee935f049755b8bd22c663c78e6882 |
| SHA1 | c37cb2f9085ac5fadb317a7895f22e6b4c500a8b |
| SHA256 | 3c8d742397959988ad61b80667290c5c28c0d25e45efb86082422ad143c56372 |
| SHA512 | 0865717ddd6dfeb7d3ffdabff09f92b28d7477817d78277675e1a26c395bf56cf162c15ec53507536e9d509bf7ce450eff9259c36f2e3c231f7474b3982795de |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 07:09
Reported
2024-06-08 07:11
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_be2ee644c0d13dc05c1a719db78bb927_bkransomware.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | remote.payroll-us.com | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 8.8.8.8:53 | remote.payroll-us.com | udp |
| US | 173.11.93.11:80 | remote.payroll-us.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\TMSetup.txt
| MD5 | 54df436246f4209c79376cf09963a0b9 |
| SHA1 | 2b2285b4aec0a096cc393f59d5eea9cc3babefc5 |
| SHA256 | 1ea130fc78078f782356548d958e0308821a837eb02d433b43793d64457a387a |
| SHA512 | 89795fee9460e4ff7948cdd3d20a1311557b512a7e57a19882f6d1696f967a73cad1e24c41d158db010e3046467f2cb7f7e7782570373a2d7935d3f3881b4c19 |
C:\Users\Admin\AppData\Local\Temp\TMSetup.txt
| MD5 | 7d8573255e731bf7d011eda96c591de4 |
| SHA1 | a15a570aa9be0103527d5578aafacdecd26e4aa3 |
| SHA256 | d548ea5e6763d6ca851a7418a2c672bdfacc65f1d66fa400bd122ee0cea53d44 |
| SHA512 | aa8219b3039d4763711150533a3eda816fdeabffc3f417ba066235692bcc8cf68fddd3bbd79d8672154d81c04819d30f292d6ecb627132ff11b566f4f28149fb |