be2f54f7285dd05c6054b6560e4576d88e699c858ffd6daa2da3017cb1e6a9ea

Analysis

max time kernel
150s
max time network
69s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
Size

15.7MB
MD5

7579555177f0851d82b416c87e4f809d
SHA1

04998bfed4c632fb42b4be4c52b1b04964b7ad37
SHA256

be2f54f7285dd05c6054b6560e4576d88e699c858ffd6daa2da3017cb1e6a9ea
SHA512

ed820f9921006213a6aa9e394814e0d7163c4db314fb349b020551cffe32605d26108d119a47c38a9999af40153c781bd17428c1b9ec0b450c6a5d612945003c
SSDEEP

196608:PfEkDV4aV49RjOF5hK9TMICeEnE5rigt/a4PKKOjw+dLnWaKxYfRNrcAGTeOSKxS:3gs09TMJeEnEQoKgaKxYpSAP87w5Fz

Score

6^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2960	msiexec.exe
7	2960	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\H:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\Y:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\O:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\P:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\Q:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\T:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\X:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\Z:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\S:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\R:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	MsiExec.exe
2416	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2960	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
2960	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 320 wrote to memory of 2960	320	2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe	29
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31
PID 2520 wrote to memory of 2416	2520	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_7579555177f0851d82b416c87e4f809d_bkransomware_hijackloader_revil.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\WirelessMedia\WMMeeting.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85DB2981B7D051F3C2F4571715DFBAF3 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFF57.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B5.tmp

Filesize
285KB

MD5
db6ba08b76531f4e4cabb16e591ba8dc

SHA1
3912d40f26dbe43b456f17141545b5cba9bcd875

SHA256
83e33f07f0a0ef4ef54c32ece108a932a93567fb4699692e375026170b8f87c4

SHA512
c4867d48360eaf78606fedc504d2d896fbc4e85acbe567ff89cf6c71586f4939340194988c8c826484d8e08b66c30598095ab5f888b9b9b64bd49a66e383becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\WMMeeting.msi

Filesize
891KB

MD5
e582489b588726147e5ecceb9286ea8d

SHA1
bcfbffafcd947fab7c0ccf16cd24ffd27d9907bf

SHA256
f7acb2ffe0f45083acf9f24c7b8d7baf90146065973ebe1a609874b2ecd233b8

SHA512
a4bd54dc3712f20dc1b49caddadd6e9cf5bcfa73fdad325d719cd68a6f0b1c897b532c5fd7e19a7c9dca97b9d18fb9659c667755a1c407c5883a045408e91d1e

Download Submit
C:\Users\Admin\AppData\Local\WirelessMedia\config.ini

Filesize
29B

MD5
07b6a1e0c5ee0bdf354868d45b80f325

SHA1
37aeb217266dd8a71cfff7c6b93d03ca55d5085c

SHA256
9f09af33af7d82b40e9c2aa28e27dce4058766ac59708af216ed6ff7d1fadd9b

SHA512
a1a0cd7692a0646bd2d1c7698505a140fb9d5cc3e63f53b2bd348d91db43d09338f322c2a3c14ee8bc2e9f588dc4fc6e2dcac2be04df7ac5b8f7bb0648287d31

Download Submit