Malware Analysis Report

2025-04-14 04:34

Sample ID 240612-w4ac2avepe
Target 2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus
SHA256 09171c9dac4c7e0106d83653baded7108fa6ce7f218be6e2e93c41e8efc3ca59
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

09171c9dac4c7e0106d83653baded7108fa6ce7f218be6e2e93c41e8efc3ca59

Threat Level: Likely benign

The file 2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus was found to be: Likely benign.

Malicious Activity Summary


Suspicious use of SetThreadContext

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:28

Reported

2024-06-12 18:30

Platform

win7-20240611-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 2192 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 jaqaijknagc.mxp2353.com udp

Files

memory/1520-6-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-14-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-16-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-17-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1520-10-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-8-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-4-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-0-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-2-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-18-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-19-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-20-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-22-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/1520-23-0x0000000000400000-0x00000000004D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:28

Reported

2024-06-12 18:30

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe
PID 624 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_183f1b1f3e62361c9d3b6f7b8d0c0ac0_bkransomware_buzus.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4704 -ip 4704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 4704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1964

Network

Files

memory/4704-0-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-1-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-2-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-4-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-3-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-5-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-6-0x0000000000400000-0x00000000004D9000-memory.dmp

memory/4704-10-0x0000000000400000-0x00000000004D9000-memory.dmp