44718da081ac1f1216740fc3cb21d29942be94448d8017e5b6390bebf93f55e2

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe
Size

669KB
MD5

694e6ab55ee159a15470fb0d483f566a
SHA1

ce3d1494e5819b6439d8bd9b48cf7ea9cf0dcd59
SHA256

44718da081ac1f1216740fc3cb21d29942be94448d8017e5b6390bebf93f55e2
SHA512

fe5db8e5794708cbe12024d4c72207ad5cb886c335e51468319a0faa71f80e863c199a103f18fe4ef5f81eceddcdf523e31eab903fb7c330a87c7813b983657d
SSDEEP

12288:SqVsecyI3d2Btvwi6EPabM9PT82fXv2KTwjQj2mAjoMiMBcQ3I2f:SqVsecyItyIi6EPabM9VfXU82Eza3d

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3396	dmkio3z96s5rahkies2zplkb.exe
1320	xzhbwvj.exe
836	wsdxuxqy.exe
1748	xzhbwvj.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\nyxeklpksucphw\iv6ag1g	wsdxuxqy.exe
File created	C:\Windows\nyxeklpksucphw\iv6ag1g	xzhbwvj.exe
File created	C:\Windows\nyxeklpksucphw\iv6ag1g	2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe
File created	C:\Windows\nyxeklpksucphw\iv6ag1g	dmkio3z96s5rahkies2zplkb.exe
File created	C:\Windows\nyxeklpksucphw\iv6ag1g	xzhbwvj.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmkio3z96s5rahkies2zplkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xzhbwvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsdxuxqy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	xzhbwvj.exe
1320	xzhbwvj.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe
836	wsdxuxqy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3396	724	2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe	86
PID 724 wrote to memory of 3396	724	2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe	86
PID 724 wrote to memory of 3396	724	2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe	86
PID 1320 wrote to memory of 836	1320	xzhbwvj.exe	88
PID 1320 wrote to memory of 836	1320	xzhbwvj.exe	88
PID 1320 wrote to memory of 836	1320	xzhbwvj.exe	88
PID 3396 wrote to memory of 1748	3396	dmkio3z96s5rahkies2zplkb.exe	92
PID 3396 wrote to memory of 1748	3396	dmkio3z96s5rahkies2zplkb.exe	92
PID 3396 wrote to memory of 1748	3396	dmkio3z96s5rahkies2zplkb.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_694e6ab55ee159a15470fb0d483f566a_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724
- C:\nyxeklpksucphw\dmkio3z96s5rahkies2zplkb.exe
  "C:\nyxeklpksucphw\dmkio3z96s5rahkies2zplkb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\nyxeklpksucphw\xzhbwvj.exe
    "C:\nyxeklpksucphw\xzhbwvj.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1748

C:\nyxeklpksucphw\xzhbwvj.exe
C:\nyxeklpksucphw\xzhbwvj.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\nyxeklpksucphw\wsdxuxqy.exe
  fxv4uolq0ttp "c:\nyxeklpksucphw\xzhbwvj.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\nyxeklpksucphw\dmkio3z96s5rahkies2zplkb.exe

Filesize
669KB

MD5
694e6ab55ee159a15470fb0d483f566a

SHA1
ce3d1494e5819b6439d8bd9b48cf7ea9cf0dcd59

SHA256
44718da081ac1f1216740fc3cb21d29942be94448d8017e5b6390bebf93f55e2

SHA512
fe5db8e5794708cbe12024d4c72207ad5cb886c335e51468319a0faa71f80e863c199a103f18fe4ef5f81eceddcdf523e31eab903fb7c330a87c7813b983657d

Download Submit
C:\nyxeklpksucphw\iv6ag1g

Filesize
8B

MD5
39e1f64791cbacea18c01dc72c2961e2

SHA1
6103f6caee4d943f212c91eb37f87d9ce6fd10eb

SHA256
b99fa0adc71a718165ce78df43cf9c81a36b0df16579937427b2152d89bd1a93

SHA512
ebb50712e64dbe83bc6a711d0058a774eae153dde50482e6a3bfa206853d1d81c0b6c90cb8fd0a2b08e337cf1b96438da7f62e4a73dc71c852e63876a2a52a78

Download Submit