Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2024, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
Resource
win10v2004-20240704-en
General
-
Target
2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe
-
Size
507KB
-
MD5
a00a34fd05e2621a1a5514f51f2f9fed
-
SHA1
1f39326ec6ae8734995b0e187a1ddf8d36ccde2f
-
SHA256
fcda68d2fa02bb2bb763b8b460aa4c487f6d17670f8177f9a2447e643fb2cd4c
-
SHA512
f66a9801dfef20654e6573f6242cfe6c1ad4c6a0683854aca1355fff40bba105aa2f15ee40c552ecd60bb20bc1562bf505386b0bb28c2ff3b94f1b3e6dc93a31
-
SSDEEP
12288:ayjoBI0TOBkmRk6M8a6XwnfgdBOcs1mW:1jTOOBkmi6Ha6XwodBOcN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1820 nsry3z97ucpzheetuyo3w.exe 3896 ketidewiqka.exe 1420 ylnsruuxdcbc.exe 4624 ketidewiqka.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\rkzvesaqtdq\dyhwrja nsry3z97ucpzheetuyo3w.exe File created C:\Windows\rkzvesaqtdq\dyhwrja ketidewiqka.exe File created C:\Windows\rkzvesaqtdq\dyhwrja ylnsruuxdcbc.exe File created C:\Windows\rkzvesaqtdq\dyhwrja ketidewiqka.exe File created C:\Windows\rkzvesaqtdq\dyhwrja 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3896 ketidewiqka.exe 3896 ketidewiqka.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe 1420 ylnsruuxdcbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3076 wrote to memory of 1820 3076 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 82 PID 3076 wrote to memory of 1820 3076 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 82 PID 3076 wrote to memory of 1820 3076 2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe 82 PID 3896 wrote to memory of 1420 3896 ketidewiqka.exe 85 PID 3896 wrote to memory of 1420 3896 ketidewiqka.exe 85 PID 3896 wrote to memory of 1420 3896 ketidewiqka.exe 85 PID 1820 wrote to memory of 4624 1820 nsry3z97ucpzheetuyo3w.exe 86 PID 1820 wrote to memory of 4624 1820 nsry3z97ucpzheetuyo3w.exe 86 PID 1820 wrote to memory of 4624 1820 nsry3z97ucpzheetuyo3w.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-05_a00a34fd05e2621a1a5514f51f2f9fed_bkransomware.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\rkzvesaqtdq\nsry3z97ucpzheetuyo3w.exe"C:\rkzvesaqtdq\nsry3z97ucpzheetuyo3w.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\rkzvesaqtdq\ketidewiqka.exe"C:\rkzvesaqtdq\ketidewiqka.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4624
-
-
-
C:\rkzvesaqtdq\ketidewiqka.exeC:\rkzvesaqtdq\ketidewiqka.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\rkzvesaqtdq\ylnsruuxdcbc.exeyaieh3tmtcsd "c:\rkzvesaqtdq\ketidewiqka.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD5af442c287fc5f45679fb442d63be6282
SHA109c5af2c5d47e4bf44f73f7799614acc8f5f9758
SHA256898304f9adf6eaae130c0de00f30296e20eed3a2c235afd098062e6e2d61e015
SHA512609d704c83deeb270b74c73622c3ed3d114a6456d55270f16e36248ed364196bc6c45b4192e4041c6814bca0489a4e907bde2dc25b20ff93db332a005ca4f9b4
-
Filesize
507KB
MD5a00a34fd05e2621a1a5514f51f2f9fed
SHA11f39326ec6ae8734995b0e187a1ddf8d36ccde2f
SHA256fcda68d2fa02bb2bb763b8b460aa4c487f6d17670f8177f9a2447e643fb2cd4c
SHA512f66a9801dfef20654e6573f6242cfe6c1ad4c6a0683854aca1355fff40bba105aa2f15ee40c552ecd60bb20bc1562bf505386b0bb28c2ff3b94f1b3e6dc93a31