8eb3299220dc00e9b50a559aa3f9b956c5728aabcd56901ead0b470b2038f95c

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe
Size

603KB
MD5

2cc991e4427db5107f1ee307e0ff16b5
SHA1

71f7aca2ffa8c18624af43f605f5bff93762ddf4
SHA256

8eb3299220dc00e9b50a559aa3f9b956c5728aabcd56901ead0b470b2038f95c
SHA512

f2cdf928efeb66f605b2b036d4395d5a038a136671755ccc4f1304dd1382b18d8a38867aac9cce1b8a8c8f985fee4094a7b5e398bde792c9be995a6367bf470f
SSDEEP

12288:E7pmdAnCAk1yDbXis0VXOAu++wbl3vKCJR2kT:KcUh5+s0VX9+wbdiCL2kT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5024	tcrq83za22vuxy0ddypdgpd.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
3984	mubuofkpmba.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\exdqaywonlhjqfo\cglakzs8vt	mubuofkpmba.exe
File created	C:\Windows\exdqaywonlhjqfo\cglakzs8vt	eedfaiqkrzys.exe
File created	C:\Windows\exdqaywonlhjqfo\cglakzs8vt	mubuofkpmba.exe
File created	C:\Windows\exdqaywonlhjqfo\cglakzs8vt	2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe
File created	C:\Windows\exdqaywonlhjqfo\cglakzs8vt	tcrq83za22vuxy0ddypdgpd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcrq83za22vuxy0ddypdgpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mubuofkpmba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eedfaiqkrzys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
4884	mubuofkpmba.exe
4884	mubuofkpmba.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe
1964	eedfaiqkrzys.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 5024	1396	2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe	90
PID 1396 wrote to memory of 5024	1396	2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe	90
PID 1396 wrote to memory of 5024	1396	2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe	90
PID 4884 wrote to memory of 1964	4884	mubuofkpmba.exe	94
PID 4884 wrote to memory of 1964	4884	mubuofkpmba.exe	94
PID 4884 wrote to memory of 1964	4884	mubuofkpmba.exe	94
PID 5024 wrote to memory of 3984	5024	tcrq83za22vuxy0ddypdgpd.exe	96
PID 5024 wrote to memory of 3984	5024	tcrq83za22vuxy0ddypdgpd.exe	96
PID 5024 wrote to memory of 3984	5024	tcrq83za22vuxy0ddypdgpd.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_2cc991e4427db5107f1ee307e0ff16b5_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\exdqaywonlhjqfo\tcrq83za22vuxy0ddypdgpd.exe
  "C:\exdqaywonlhjqfo\tcrq83za22vuxy0ddypdgpd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\exdqaywonlhjqfo\mubuofkpmba.exe
    "C:\exdqaywonlhjqfo\mubuofkpmba.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3984

C:\exdqaywonlhjqfo\mubuofkpmba.exe
C:\exdqaywonlhjqfo\mubuofkpmba.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884
- C:\exdqaywonlhjqfo\eedfaiqkrzys.exe
  ongtvvmaypju "c:\exdqaywonlhjqfo\mubuofkpmba.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\exdqaywonlhjqfo\cglakzs8vt

Filesize
12B

MD5
bef5e740419cc1779985b186b6e58b9b

SHA1
e41b183cf2cdb656861ade4767314038da01914f

SHA256
4da51245f18f37bc8910c3e10fa621763e6f6d315ea0099d145a19129afd0fb8

SHA512
071232bac83e50451bb0e0989495126382a060852c31b7c3d9fc5b1f076e39f9a4d8c32cd12b22c4b3023c78dd4d4210f8cefd363eb29ab57bafe3142be1c2c9

Download Submit
C:\exdqaywonlhjqfo\mcqpp6

Filesize
4B

MD5
fac87f86a0a581af8a13926fbfeb4fea

SHA1
937545d00ba1149e19b6d302b0cfe6a7d7fc4688

SHA256
4096759c5eb3cbe43daac1e12464476c324df57549cd73d59604e058e6ffb822

SHA512
5a5c658dd658bb5a91063510170d765b5f0eb339169a353c133c96835768c37c81d67c36e81270b335f272c2a937e2308645068b705de3eda6953734abd30137

Download Submit
C:\exdqaywonlhjqfo\tcrq83za22vuxy0ddypdgpd.exe

Filesize
603KB

MD5
2cc991e4427db5107f1ee307e0ff16b5

SHA1
71f7aca2ffa8c18624af43f605f5bff93762ddf4

SHA256
8eb3299220dc00e9b50a559aa3f9b956c5728aabcd56901ead0b470b2038f95c

SHA512
f2cdf928efeb66f605b2b036d4395d5a038a136671755ccc4f1304dd1382b18d8a38867aac9cce1b8a8c8f985fee4094a7b5e398bde792c9be995a6367bf470f

Download Submit