77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
Size

500KB
MD5

543967080f5d1269891da9675dea8d39
SHA1

f3ceefbad962e54d9005956dd9e15d297c035f09
SHA256

77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a
SHA512

7973ae4a55897d26e20d2fce769c990abfcb8141b86e4a5d25b6b1222dd5b9a626cc0f07d07626c9f85e14e9b8b0994f4dc7c90714ed8b2a4cafd402b084df76
SSDEEP

6144:X89/vRmS+JLeKdBpzBftU+mzBowukFYPQvqkSesYdy9A8QXnJYc77I//2QZo0SLq:upsRe6sBuLSc19bQ3Gg2bo0SKbp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4876	rvruo3z9awlihpvvkyfcc.exe
4992	ucegtilj.exe
3964	gpxawnyophr.exe
3260	ucegtilj.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\umozopb\lde45vjhr	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
File created	C:\Windows\umozopb\lde45vjhr	rvruo3z9awlihpvvkyfcc.exe
File created	C:\Windows\umozopb\lde45vjhr	ucegtilj.exe
File created	C:\Windows\umozopb\lde45vjhr	gpxawnyophr.exe
File created	C:\Windows\umozopb\lde45vjhr	ucegtilj.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvruo3z9awlihpvvkyfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucegtilj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpxawnyophr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	ucegtilj.exe
4992	ucegtilj.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe
3964	gpxawnyophr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4876	1472	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	83
PID 1472 wrote to memory of 4876	1472	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	83
PID 1472 wrote to memory of 4876	1472	2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe	83
PID 4992 wrote to memory of 3964	4992	ucegtilj.exe	87
PID 4992 wrote to memory of 3964	4992	ucegtilj.exe	87
PID 4992 wrote to memory of 3964	4992	ucegtilj.exe	87
PID 4876 wrote to memory of 3260	4876	rvruo3z9awlihpvvkyfcc.exe	89
PID 4876 wrote to memory of 3260	4876	rvruo3z9awlihpvvkyfcc.exe	89
PID 4876 wrote to memory of 3260	4876	rvruo3z9awlihpvvkyfcc.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_543967080f5d1269891da9675dea8d39_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472
- C:\umozopb\rvruo3z9awlihpvvkyfcc.exe
  "C:\umozopb\rvruo3z9awlihpvvkyfcc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\umozopb\ucegtilj.exe
    "C:\umozopb\ucegtilj.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3260

C:\umozopb\ucegtilj.exe
C:\umozopb\ucegtilj.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992
- C:\umozopb\gpxawnyophr.exe
  csl3xnvdgtkv "c:\umozopb\ucegtilj.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\umozopb\lde45vjhr

Filesize
9B

MD5
a73b401c8dfee490339f230dd95c5a52

SHA1
f7091750acaf1abaff06a601e93d05904ae185e3

SHA256
b3e0e3300eddf92f68ca46a393dc8f89752ee33021cbb9e0180e9d00bc3f00c8

SHA512
b85f53c83c14eaee3c2ba1e6205af1b4f6b137e9ee86110298e08c27d04623627c8ce404bcb6be33d49cc60c3ae0ef0bff1055234cb5dc0a8389bd929e385aa9

Download Submit
C:\umozopb\rvruo3z9awlihpvvkyfcc.exe

Filesize
500KB

MD5
543967080f5d1269891da9675dea8d39

SHA1
f3ceefbad962e54d9005956dd9e15d297c035f09

SHA256
77bd837d390ad95161995b61080759dab8a130983f58ae4524f497927c2d353a

SHA512
7973ae4a55897d26e20d2fce769c990abfcb8141b86e4a5d25b6b1222dd5b9a626cc0f07d07626c9f85e14e9b8b0994f4dc7c90714ed8b2a4cafd402b084df76

Download Submit