5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
Size

374KB
MD5

ddfc0be1134b388fe4190e973a2433cd
SHA1

1a9b2ee5359426df61d3c31ecf3c5c0ab666d5a9
SHA256

5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf
SHA512

09a54dddf8fee55d410111677c9f901748877b39708d5410420f23a9a540e790fb050cc0c2d8ff82730f4d08ff1b8205de102319968389f7b3565d7d16d7de19
SSDEEP

6144:KowSFzGGFNn/g2HZJ9hN0XIKtLqTH3cpzRQYa9zHCtHC+OCtDnpM:Csn/ZHP3N0XIKtLqr3c9RVyzHUF5NpM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5008	lex3z9dcozjrexifweoe.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
2592	qbrofmtoa.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	lex3z9dcozjrexifweoe.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	qbrofmtoa.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	ogwrroqvp.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	qbrofmtoa.exe
File created	C:\Windows\tbkgjskcpcgu\zoktwyy	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbrofmtoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogwrroqvp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lex3z9dcozjrexifweoe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	qbrofmtoa.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4348	qbrofmtoa.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4348	qbrofmtoa.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4348	qbrofmtoa.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe
4348	qbrofmtoa.exe
4348	qbrofmtoa.exe
4764	ogwrroqvp.exe
4764	ogwrroqvp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 5008	624	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	83
PID 624 wrote to memory of 5008	624	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	83
PID 624 wrote to memory of 5008	624	2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe	83
PID 4348 wrote to memory of 4764	4348	qbrofmtoa.exe	86
PID 4348 wrote to memory of 4764	4348	qbrofmtoa.exe	86
PID 4348 wrote to memory of 4764	4348	qbrofmtoa.exe	86
PID 5008 wrote to memory of 2592	5008	lex3z9dcozjrexifweoe.exe	90
PID 5008 wrote to memory of 2592	5008	lex3z9dcozjrexifweoe.exe	90
PID 5008 wrote to memory of 2592	5008	lex3z9dcozjrexifweoe.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_ddfc0be1134b388fe4190e973a2433cd_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624
- C:\tbkgjskcpcgu\lex3z9dcozjrexifweoe.exe
  "C:\tbkgjskcpcgu\lex3z9dcozjrexifweoe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\tbkgjskcpcgu\qbrofmtoa.exe
    "C:\tbkgjskcpcgu\qbrofmtoa.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2592

C:\tbkgjskcpcgu\qbrofmtoa.exe
C:\tbkgjskcpcgu\qbrofmtoa.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\tbkgjskcpcgu\ogwrroqvp.exe
  b8ie0dvwuljy "c:\tbkgjskcpcgu\qbrofmtoa.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tbkgjskcpcgu\lex3z9dcozjrexifweoe.exe

Filesize
374KB

MD5
ddfc0be1134b388fe4190e973a2433cd

SHA1
1a9b2ee5359426df61d3c31ecf3c5c0ab666d5a9

SHA256
5f29f8ba0949edd6e77e7688589ca54d0add0b3ef2f88294e1baaa6408955dbf

SHA512
09a54dddf8fee55d410111677c9f901748877b39708d5410420f23a9a540e790fb050cc0c2d8ff82730f4d08ff1b8205de102319968389f7b3565d7d16d7de19

Download Submit
C:\tbkgjskcpcgu\zelxpuqoun

Filesize
4B

MD5
93fcad6ce8f1e092a35e810b56928e34

SHA1
7100a77d68c3ed4c41c076b9dc5ea56f1e701595

SHA256
a8b9063cbfe8c3cf849d240945847b56ccd221e09785e4f4bb777110fad02d17

SHA512
53f8a464d61d6990431fd9b1de7eaec1f683ccfa5434a62c9f03490c48002ffa286023d822523d4b65d996409000f05e959b370cdd6649d92db43076e2475f9c

Download Submit
C:\tbkgjskcpcgu\zoktwyy

Filesize
7B

MD5
883bc9ed0762859d652b5e69fba9a562

SHA1
e88ea783fd2cf49b536448beaf1cacef9a22a671

SHA256
681fef1370ae8ffc3f6b298ed6ae03d46a4aefbc7da4f71269ceb95785e63b99

SHA512
7099cee05de2a206bce93cf091818027da8bae7beff8be5c664e7936cdac8f05488e14c78d4bc0547b63abef59df71ab1cdd865f557b7c2235a38a7d3de89789

Download Submit