5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
Size

374KB
MD5

ddfc0be1134b388fe4190e973a2433cd
SHA1

1a9b2ee5359426df61d3c31ecf3c5c0ab666d5a9
SHA256

5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf
SHA512

09a54dddf8fee55d410111677c9f901748877b39708d5410420f23a9a540e790fb050cc0c2d8ff82730f4d08ff1b8205de102319968389f7b3565d7d16d7de19
SSDEEP

6144:KowSFzGGFNn/g2HZJ9hN0XIKtLqTH3cpzRQYa9zHCtHC+OCtDnpM:Csn/ZHP3N0XIKtLqr3c9RVyzHUF5NpM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2680	lex4agxngzjrexifweoe.exe
2440	qbrofmtoa.exe
2100	ogwrroqvp.exe
2532	qbrofmtoa.exe

Loads dropped DLL 5 IoCs

pid	Process
2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
2440	qbrofmtoa.exe
2440	qbrofmtoa.exe
2680	lex4agxngzjrexifweoe.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	qbrofmtoa.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	lex4agxngzjrexifweoe.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	qbrofmtoa.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	ogwrroqvp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lex4agxngzjrexifweoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbrofmtoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogwrroqvp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	qbrofmtoa.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe
2100	ogwrroqvp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2680	2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	31
PID 2152 wrote to memory of 2680	2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	31
PID 2152 wrote to memory of 2680	2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	31
PID 2152 wrote to memory of 2680	2152	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	31
PID 2440 wrote to memory of 2100	2440	qbrofmtoa.exe	33
PID 2440 wrote to memory of 2100	2440	qbrofmtoa.exe	33
PID 2440 wrote to memory of 2100	2440	qbrofmtoa.exe	33
PID 2440 wrote to memory of 2100	2440	qbrofmtoa.exe	33
PID 2680 wrote to memory of 2532	2680	lex4agxngzjrexifweoe.exe	34
PID 2680 wrote to memory of 2532	2680	lex4agxngzjrexifweoe.exe	34
PID 2680 wrote to memory of 2532	2680	lex4agxngzjrexifweoe.exe	34
PID 2680 wrote to memory of 2532	2680	lex4agxngzjrexifweoe.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\tbkgjskcpcgu\lex4agxngzjrexifweoe.exe
  "C:\tbkgjskcpcgu\lex4agxngzjrexifweoe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\tbkgjskcpcgu\qbrofmtoa.exe
    "C:\tbkgjskcpcgu\qbrofmtoa.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2532

C:\tbkgjskcpcgu\qbrofmtoa.exe
C:\tbkgjskcpcgu\qbrofmtoa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\tbkgjskcpcgu\ogwrroqvp.exe
  b8ie0dvwuljy "c:\tbkgjskcpcgu\qbrofmtoa.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tbkgjskcpcgu\lex4agxngzjrexifweoe.exe

Filesize
374KB

MD5
ddfc0be1134b388fe4190e973a2433cd

SHA1
1a9b2ee5359426df61d3c31ecf3c5c0ab666d5a9

SHA256
5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf

SHA512
09a54dddf8fee55d410111677c9f901748877b39708d5410420f23a9a540e790fb050cc0c2d8ff82730f4d08ff1b8205de102319968389f7b3565d7d16d7de19

Download Submit
C:\tbkgjskcpcgu\zelxpuqoun

Filesize
4B

MD5
105994ba838f62a81a4831dcc7a0948f

SHA1
34877689199bf4881d58cb93bc61376b6cccde4e

SHA256
fdba112da872a8e0e165ce605c5e8c685ca5873d13a60ae52cabb06694d8031e

SHA512
6d6f77dbec78345f4502729c65e967e80953789ebe587f3ca744fd03b09b9e2abb91f7b308e077b64dabbc6772bd8a552e7461cf3987076c0a4e50cb37229747

Download Submit
C:\tbkgjskcpcgu\zoktwyy

Filesize
7B

MD5
883bc9ed0762859d652b5e69fba9a562

SHA1
e88ea783fd2cf49b536448beaf1cacef9a22a671

SHA256
681fef1370ae8ffc3f6b298ed6ae03d46a4aefbc7da4f71269ceb95785e63b99

SHA512
7099cee05de2a206bce93cf091818027da8bae7beff8be5c664e7936cdac8f05488e14c78d4bc0547b63abef59df71ab1cdd865f557b7c2235a38a7d3de89789

Download Submit