530b82b48c4ab1526c9170dd60318c8e81e0b7fcdc0a4d3424b1646429c46d2a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe
Size

572KB
MD5

2458e1d6ff80206e3d6ea9c3a6b55753
SHA1

4c926021e75d047046f31b0686902fcaaa624776
SHA256

530b82b48c4ab1526c9170dd60318c8e81e0b7fcdc0a4d3424b1646429c46d2a
SHA512

55a216f5a5afda90b8b89892a928dfb389c263d400d9833b6b3dfc0f065286fe1245233f9943f018cf9a744805cfb689865d52419d0ad66edd78df07c076c86f
SSDEEP

12288:/loxIFEhdsE17hjUaYdmZkllJ80LhxJW:toxIFENjU8kTJthx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2164	owr3z9v7xtrbtosmrlr.exe
3104	vyxutvirp.exe
836	jzmfstq.exe
4876	vyxutvirp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\gtolxyiatd\wrkyuah0zxjb	vyxutvirp.exe
File created	C:\Windows\gtolxyiatd\wrkyuah0zxjb	2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe
File created	C:\Windows\gtolxyiatd\wrkyuah0zxjb	owr3z9v7xtrbtosmrlr.exe
File created	C:\Windows\gtolxyiatd\wrkyuah0zxjb	vyxutvirp.exe
File created	C:\Windows\gtolxyiatd\wrkyuah0zxjb	jzmfstq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	owr3z9v7xtrbtosmrlr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyxutvirp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jzmfstq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3104	vyxutvirp.exe
3104	vyxutvirp.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe
836	jzmfstq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2164	1700	2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe	82
PID 1700 wrote to memory of 2164	1700	2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe	82
PID 1700 wrote to memory of 2164	1700	2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe	82
PID 3104 wrote to memory of 836	3104	vyxutvirp.exe	86
PID 3104 wrote to memory of 836	3104	vyxutvirp.exe	86
PID 3104 wrote to memory of 836	3104	vyxutvirp.exe	86
PID 2164 wrote to memory of 4876	2164	owr3z9v7xtrbtosmrlr.exe	88
PID 2164 wrote to memory of 4876	2164	owr3z9v7xtrbtosmrlr.exe	88
PID 2164 wrote to memory of 4876	2164	owr3z9v7xtrbtosmrlr.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_2458e1d6ff80206e3d6ea9c3a6b55753_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\gtolxyiatd\owr3z9v7xtrbtosmrlr.exe
  "C:\gtolxyiatd\owr3z9v7xtrbtosmrlr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\gtolxyiatd\vyxutvirp.exe
    "C:\gtolxyiatd\vyxutvirp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4876

C:\gtolxyiatd\vyxutvirp.exe
C:\gtolxyiatd\vyxutvirp.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104
- C:\gtolxyiatd\jzmfstq.exe
  hgezyfu1m8ho "c:\gtolxyiatd\vyxutvirp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\gtolxyiatd\owr3z9v7xtrbtosmrlr.exe

Filesize
572KB

MD5
2458e1d6ff80206e3d6ea9c3a6b55753

SHA1
4c926021e75d047046f31b0686902fcaaa624776

SHA256
530b82b48c4ab1526c9170dd60318c8e81e0b7fcdc0a4d3424b1646429c46d2a

SHA512
55a216f5a5afda90b8b89892a928dfb389c263d400d9833b6b3dfc0f065286fe1245233f9943f018cf9a744805cfb689865d52419d0ad66edd78df07c076c86f

Download Submit
C:\gtolxyiatd\wrkyuah0zxjb

Filesize
7B

MD5
dbf1efccf3318139aa3507d51f73e6c4

SHA1
a5f22c87cdf1d75322be882eab96e4f70274696a

SHA256
6a0a00412ca7991d45aba76216de1f7c3f00b8f5e04a754617cacc0264549379

SHA512
0c4f41ea3bc7f7f9f186293c75916cc0a9305621aaa374e2e7a9ae95f037880273f9c4478c31bbb1076c956a91c050078eb406961d1d1d36ce510ff51a95dc9b

Download Submit