77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
Size

500KB
MD5

543967080f5d1269891da9675dea8d39
SHA1

f3ceefbad962e54d9005956dd9e15d297c035f09
SHA256

77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a
SHA512

7973ae4a55897d26e20d2fce769c990abfcb8141b86e4a5d25b6b1222dd5b9a626cc0f07d07626c9f85e14e9b8b0994f4dc7c90714ed8b2a4cafd402b084df76
SSDEEP

6144:X89/vRmS+JLeKdBpzBftU+mzBowukFYPQvqkSesYdy9A8QXnJYc77I//2QZo0SLq:upsRe6sBuLSc19bQ3Gg2bo0SKbp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1248	rvruo4ajv62ihpvvkyfcc.exe
1728	ucegtilj.exe
2156	gpxawnyophr.exe
2244	ucegtilj.exe

Loads dropped DLL 6 IoCs

pid	Process
1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
1728	ucegtilj.exe
1728	ucegtilj.exe
1248	rvruo4ajv62ihpvvkyfcc.exe
1248	rvruo4ajv62ihpvvkyfcc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\umozopb\lde45vjhr	rvruo4ajv62ihpvvkyfcc.exe
File created	C:\Windows\umozopb\lde45vjhr	ucegtilj.exe
File created	C:\Windows\umozopb\lde45vjhr	gpxawnyophr.exe
File created	C:\Windows\umozopb\lde45vjhr	ucegtilj.exe
File created	C:\Windows\umozopb\lde45vjhr	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucegtilj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpxawnyophr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvruo4ajv62ihpvvkyfcc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	ucegtilj.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe
2156	gpxawnyophr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1248	1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	29
PID 1628 wrote to memory of 1248	1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	29
PID 1628 wrote to memory of 1248	1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	29
PID 1628 wrote to memory of 1248	1628	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	29
PID 1728 wrote to memory of 2156	1728	ucegtilj.exe	31
PID 1728 wrote to memory of 2156	1728	ucegtilj.exe	31
PID 1728 wrote to memory of 2156	1728	ucegtilj.exe	31
PID 1728 wrote to memory of 2156	1728	ucegtilj.exe	31
PID 1248 wrote to memory of 2244	1248	rvruo4ajv62ihpvvkyfcc.exe	32
PID 1248 wrote to memory of 2244	1248	rvruo4ajv62ihpvvkyfcc.exe	32
PID 1248 wrote to memory of 2244	1248	rvruo4ajv62ihpvvkyfcc.exe	32
PID 1248 wrote to memory of 2244	1248	rvruo4ajv62ihpvvkyfcc.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\umozopb\rvruo4ajv62ihpvvkyfcc.exe
  "C:\umozopb\rvruo4ajv62ihpvvkyfcc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\umozopb\ucegtilj.exe
    "C:\umozopb\ucegtilj.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2244

C:\umozopb\ucegtilj.exe
C:\umozopb\ucegtilj.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\umozopb\gpxawnyophr.exe
  csl3xnvdgtkv "c:\umozopb\ucegtilj.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\umozopb\lde45vjhr

Filesize
9B

MD5
a73b401c8dfee490339f230dd95c5a52

SHA1
f7091750acaf1abaff06a601e93d05904ae185e3

SHA256
b3e0e3300eddf92f68ca46a393dc8f89752ee33021cbb9e0180e9d00bc3f00c8

SHA512
b85f53c83c14eaee3c2ba1e6205af1b4f6b137e9ee86110298e08c27d04623627c8ce404bcb6be33d49cc60c3ae0ef0bff1055234cb5dc0a8389bd929e385aa9

Download Submit
\umozopb\rvruo4ajv62ihpvvkyfcc.exe

Filesize
500KB

MD5
543967080f5d1269891da9675dea8d39

SHA1
f3ceefbad962e54d9005956dd9e15d297c035f09

SHA256
77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a

SHA512
7973ae4a55897d26e20d2fce769c990abfcb8141b86e4a5d25b6b1222dd5b9a626cc0f07d07626c9f85e14e9b8b0994f4dc7c90714ed8b2a4cafd402b084df76

Download Submit