0d523ce239cd0906cb50eceef4ca08524c243cea059c1e02596b067fa2409f95

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
Size

505KB
MD5

239bb13f733dbcfeeeade84650898342
SHA1

303b7ed5557cce4a8c911505d7e78e9722427361
SHA256

0d523ce239cd0906cb50eceef4ca08524c243cea059c1e02596b067fa2409f95
SHA512

2dd0fc9d51f577604a0d28434f4fbb4dc35fdcfbf9c4aeccd23001af2957485d24be8881d028c5840422e8d1fbb83f3d85f48c215e3eb9f75b9132ce8e1a2b4e
SSDEEP

12288:PHMnmRLEr5RRGD3/8634nUNpCqw0A7xm8g:PHMmRLEr53GT/8C4UNpCqgdm8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2588	iwh4aif4rxushlo4qng.exe
2760	yrthojjna.exe
2932	qsxpbdqhmm.exe
2740	yrthojjna.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
2760	yrthojjna.exe
2760	yrthojjna.exe
2588	iwh4aif4rxushlo4qng.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\izprfadf\rdipebz	qsxpbdqhmm.exe
File created	C:\Windows\izprfadf\rdipebz	yrthojjna.exe
File created	C:\Windows\izprfadf\rdipebz	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
File created	C:\Windows\izprfadf\rdipebz	iwh4aif4rxushlo4qng.exe
File created	C:\Windows\izprfadf\rdipebz	yrthojjna.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrthojjna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qsxpbdqhmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwh4aif4rxushlo4qng.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	yrthojjna.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe
2932	qsxpbdqhmm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2588	3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe	29
PID 3056 wrote to memory of 2588	3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe	29
PID 3056 wrote to memory of 2588	3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe	29
PID 3056 wrote to memory of 2588	3056	2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe	29
PID 2760 wrote to memory of 2932	2760	yrthojjna.exe	31
PID 2760 wrote to memory of 2932	2760	yrthojjna.exe	31
PID 2760 wrote to memory of 2932	2760	yrthojjna.exe	31
PID 2760 wrote to memory of 2932	2760	yrthojjna.exe	31
PID 2588 wrote to memory of 2740	2588	iwh4aif4rxushlo4qng.exe	32
PID 2588 wrote to memory of 2740	2588	iwh4aif4rxushlo4qng.exe	32
PID 2588 wrote to memory of 2740	2588	iwh4aif4rxushlo4qng.exe	32
PID 2588 wrote to memory of 2740	2588	iwh4aif4rxushlo4qng.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_239bb13f733dbcfeeeade84650898342_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\izprfadf\iwh4aif4rxushlo4qng.exe
  "C:\izprfadf\iwh4aif4rxushlo4qng.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\izprfadf\yrthojjna.exe
    "C:\izprfadf\yrthojjna.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2740

C:\izprfadf\yrthojjna.exe
C:\izprfadf\yrthojjna.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\izprfadf\qsxpbdqhmm.exe
  wjbyaq3ksfn5 "c:\izprfadf\yrthojjna.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\izprfadf\rdipebz

Filesize
10B

MD5
c903110f2aaa69d64a394f17ad86561d

SHA1
d234593c1cd08bd95d6863d6b4701fe5bae76523

SHA256
0b4e5409e916dfebbf1e2e116c5ceb26386c883521f3d70c48ae311e8651b0e6

SHA512
05c8e23a0be5623d09d6d50caf788903a149c5814fd228247eee2a0409f95a880df42f80488df029f1cf2d351fccf71253be65f8667e24287b17a9ef5663201f

Download Submit
\izprfadf\iwh4aif4rxushlo4qng.exe

Filesize
505KB

MD5
239bb13f733dbcfeeeade84650898342

SHA1
303b7ed5557cce4a8c911505d7e78e9722427361

SHA256
0d523ce239cd0906cb50eceef4ca08524c243cea059c1e02596b067fa2409f95

SHA512
2dd0fc9d51f577604a0d28434f4fbb4dc35fdcfbf9c4aeccd23001af2957485d24be8881d028c5840422e8d1fbb83f3d85f48c215e3eb9f75b9132ce8e1a2b4e

Download Submit