Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
-
Size
468KB
-
MD5
82108b0716c4d0e89ce1b5a369a764bf
-
SHA1
7df8f114349d97c6a0f2f4f0014ef6a94996b9e3
-
SHA256
dcadc70cd3c5fe7e1b4d1afb690cc78d5b7dd8506a050beacbf69a16903b63f3
-
SHA512
8259b2fb74434fa32708632cd293416840d8125c4ff47ddc7e87d1fcbd7240d384f741fa2a191e0fbcde7dd9c74c37e058d1b9af906b40a128e657405dcce327
-
SSDEEP
12288:j7aEYDcezGIEU2/rHdfFKZkYmPR/njqmKYk:j7goiCDda7Arq/Y
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1288 ea44agx7fvxni0dbq.exe 2740 rkesdpcq.exe 2696 smztxivmxlvo.exe 2564 rkesdpcq.exe -
Loads dropped DLL 6 IoCs
pid Process 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 2740 rkesdpcq.exe 2740 rkesdpcq.exe 1288 ea44agx7fvxni0dbq.exe 1288 ea44agx7fvxni0dbq.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\norajeqcquc\s3cnhc6 rkesdpcq.exe File created C:\Windows\norajeqcquc\s3cnhc6 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe File created C:\Windows\norajeqcquc\s3cnhc6 ea44agx7fvxni0dbq.exe File created C:\Windows\norajeqcquc\s3cnhc6 rkesdpcq.exe File created C:\Windows\norajeqcquc\s3cnhc6 smztxivmxlvo.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkesdpcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smztxivmxlvo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea44agx7fvxni0dbq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 rkesdpcq.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe 2696 smztxivmxlvo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1288 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 31 PID 1984 wrote to memory of 1288 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 31 PID 1984 wrote to memory of 1288 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 31 PID 1984 wrote to memory of 1288 1984 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 31 PID 2740 wrote to memory of 2696 2740 rkesdpcq.exe 33 PID 2740 wrote to memory of 2696 2740 rkesdpcq.exe 33 PID 2740 wrote to memory of 2696 2740 rkesdpcq.exe 33 PID 2740 wrote to memory of 2696 2740 rkesdpcq.exe 33 PID 1288 wrote to memory of 2564 1288 ea44agx7fvxni0dbq.exe 34 PID 1288 wrote to memory of 2564 1288 ea44agx7fvxni0dbq.exe 34 PID 1288 wrote to memory of 2564 1288 ea44agx7fvxni0dbq.exe 34 PID 1288 wrote to memory of 2564 1288 ea44agx7fvxni0dbq.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\norajeqcquc\ea44agx7fvxni0dbq.exe"C:\norajeqcquc\ea44agx7fvxni0dbq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\norajeqcquc\rkesdpcq.exe"C:\norajeqcquc\rkesdpcq.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2564
-
-
-
C:\norajeqcquc\rkesdpcq.exeC:\norajeqcquc\rkesdpcq.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\norajeqcquc\smztxivmxlvo.exeybdnbf7zyyv2 "c:\norajeqcquc\rkesdpcq.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11B
MD58503d7211d113c23e88234c87cd8d5f1
SHA12de184f9001169fe18fd6403001dba71228252e9
SHA256f41f54e8241724d962ce4ddd60bdd44ed17381a871cc4e388eeb13d121538f2d
SHA512ba0406bec23995d9d71f34827b8fbbd8a959e8fd62e577c8ca83e53d86db09ea4bd5f7d0722a1f5b27b422a35d7438d2511ca2c8e991ff2db28c9fe7ed99c826
-
Filesize
468KB
MD582108b0716c4d0e89ce1b5a369a764bf
SHA17df8f114349d97c6a0f2f4f0014ef6a94996b9e3
SHA256dcadc70cd3c5fe7e1b4d1afb690cc78d5b7dd8506a050beacbf69a16903b63f3
SHA5128259b2fb74434fa32708632cd293416840d8125c4ff47ddc7e87d1fcbd7240d384f741fa2a191e0fbcde7dd9c74c37e058d1b9af906b40a128e657405dcce327