21b0cdbf4ce15a8606f103dc15ef5b9b607a0596a7160e6d36fc1055c3f0222f

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
Size

606KB
MD5

aca4b88193b6df5281dda9e333302877
SHA1

5914ba681d37c464a2c195bf18cf54bff4851dc2
SHA256

21b0cdbf4ce15a8606f103dc15ef5b9b607a0596a7160e6d36fc1055c3f0222f
SHA512

df3431a8aab9727a81ca9f48198683fd6d6af0019235d8dc5e36ea2f92bf6a1a7b826be92035bbba0e47df7759b0f083a57b8de7499b0bd6cb9cbfc078f7dde5
SSDEEP

12288:TZpFLY7soBNomZ+V0vGiNRl6y6lY/YCk:tphY7sjXV1iV6XlY/O

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2088	e8oq4agtb0nxzxwcmkbzqe.exe
2244	zxognvkmrm.exe
2420	klnrqxn.exe
1968	zxognvkmrm.exe

Loads dropped DLL 6 IoCs

pid	Process
2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
2244	zxognvkmrm.exe
2244	zxognvkmrm.exe
2088	e8oq4agtb0nxzxwcmkbzqe.exe
2088	e8oq4agtb0nxzxwcmkbzqe.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\gkwhjiv\uqzejeqsu	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
File created	C:\Windows\gkwhjiv\uqzejeqsu	e8oq4agtb0nxzxwcmkbzqe.exe
File created	C:\Windows\gkwhjiv\uqzejeqsu	zxognvkmrm.exe
File created	C:\Windows\gkwhjiv\uqzejeqsu	klnrqxn.exe
File created	C:\Windows\gkwhjiv\uqzejeqsu	zxognvkmrm.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxognvkmrm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klnrqxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8oq4agtb0nxzxwcmkbzqe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	zxognvkmrm.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe
2420	klnrqxn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2088	2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe	30
PID 2552 wrote to memory of 2088	2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe	30
PID 2552 wrote to memory of 2088	2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe	30
PID 2552 wrote to memory of 2088	2552	2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe	30
PID 2244 wrote to memory of 2420	2244	zxognvkmrm.exe	32
PID 2244 wrote to memory of 2420	2244	zxognvkmrm.exe	32
PID 2244 wrote to memory of 2420	2244	zxognvkmrm.exe	32
PID 2244 wrote to memory of 2420	2244	zxognvkmrm.exe	32
PID 2088 wrote to memory of 1968	2088	e8oq4agtb0nxzxwcmkbzqe.exe	33
PID 2088 wrote to memory of 1968	2088	e8oq4agtb0nxzxwcmkbzqe.exe	33
PID 2088 wrote to memory of 1968	2088	e8oq4agtb0nxzxwcmkbzqe.exe	33
PID 2088 wrote to memory of 1968	2088	e8oq4agtb0nxzxwcmkbzqe.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_aca4b88193b6df5281dda9e333302877_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\gkwhjiv\e8oq4agtb0nxzxwcmkbzqe.exe
  "C:\gkwhjiv\e8oq4agtb0nxzxwcmkbzqe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\gkwhjiv\zxognvkmrm.exe
    "C:\gkwhjiv\zxognvkmrm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1968

C:\gkwhjiv\zxognvkmrm.exe
C:\gkwhjiv\zxognvkmrm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\gkwhjiv\klnrqxn.exe
  ur8gql2rkqbh "c:\gkwhjiv\zxognvkmrm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\gkwhjiv\uqzejeqsu

Filesize
10B

MD5
48ae6b017c3b1d00df1941cd19ed9670

SHA1
1014798f2b955476f34c775595396ca012a49935

SHA256
1e1b9a3b7fb10e29ba2721db3d8499e26ee8d0d4215de9612d8195c321bbef07

SHA512
f78bb4ebdc9ec931b82de1385fee4d9d7818c6087034446e446fe96718cc8bcf45dd7a491a166fefb9d58aac952edae5941477a5469a17735f09b7d0f63484e4

Download Submit
\gkwhjiv\e8oq4agtb0nxzxwcmkbzqe.exe

Filesize
606KB

MD5
aca4b88193b6df5281dda9e333302877

SHA1
5914ba681d37c464a2c195bf18cf54bff4851dc2

SHA256
21b0cdbf4ce15a8606f103dc15ef5b9b607a0596a7160e6d36fc1055c3f0222f

SHA512
df3431a8aab9727a81ca9f48198683fd6d6af0019235d8dc5e36ea2f92bf6a1a7b826be92035bbba0e47df7759b0f083a57b8de7499b0bd6cb9cbfc078f7dde5

Download Submit