Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe
-
Size
468KB
-
MD5
82108b0716c4d0e89ce1b5a369a764bf
-
SHA1
7df8f114349d97c6a0f2f4f0014ef6a94996b9e3
-
SHA256
dcadc70cd3c5fe7e1b4d1afb690cc78d5b7dd8506a050beacbf69a16903b63f3
-
SHA512
8259b2fb74434fa32708632cd293416840d8125c4ff47ddc7e87d1fcbd7240d384f741fa2a191e0fbcde7dd9c74c37e058d1b9af906b40a128e657405dcce327
-
SSDEEP
12288:j7aEYDcezGIEU2/rHdfFKZkYmPR/njqmKYk:j7goiCDda7Arq/Y
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4936 ea43z9ibivxni0dbq.exe 4664 rkesdpcq.exe 4920 smztxivmxlvo.exe 2020 rkesdpcq.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\norajeqcquc\s3cnhc6 rkesdpcq.exe File created C:\Windows\norajeqcquc\s3cnhc6 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe File created C:\Windows\norajeqcquc\s3cnhc6 ea43z9ibivxni0dbq.exe File created C:\Windows\norajeqcquc\s3cnhc6 rkesdpcq.exe File created C:\Windows\norajeqcquc\s3cnhc6 smztxivmxlvo.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea43z9ibivxni0dbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkesdpcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smztxivmxlvo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4664 rkesdpcq.exe 4664 rkesdpcq.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe 4920 smztxivmxlvo.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 448 wrote to memory of 4936 448 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 83 PID 448 wrote to memory of 4936 448 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 83 PID 448 wrote to memory of 4936 448 2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe 83 PID 4664 wrote to memory of 4920 4664 rkesdpcq.exe 85 PID 4664 wrote to memory of 4920 4664 rkesdpcq.exe 85 PID 4664 wrote to memory of 4920 4664 rkesdpcq.exe 85 PID 4936 wrote to memory of 2020 4936 ea43z9ibivxni0dbq.exe 89 PID 4936 wrote to memory of 2020 4936 ea43z9ibivxni0dbq.exe 89 PID 4936 wrote to memory of 2020 4936 ea43z9ibivxni0dbq.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-09_82108b0716c4d0e89ce1b5a369a764bf_bkransomware.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\norajeqcquc\ea43z9ibivxni0dbq.exe"C:\norajeqcquc\ea43z9ibivxni0dbq.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\norajeqcquc\rkesdpcq.exe"C:\norajeqcquc\rkesdpcq.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020
-
-
-
C:\norajeqcquc\rkesdpcq.exeC:\norajeqcquc\rkesdpcq.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\norajeqcquc\smztxivmxlvo.exeybdnbf7zyyv2 "c:\norajeqcquc\rkesdpcq.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468KB
MD582108b0716c4d0e89ce1b5a369a764bf
SHA17df8f114349d97c6a0f2f4f0014ef6a94996b9e3
SHA256dcadc70cd3c5fe7e1b4d1afb690cc78d5b7dd8506a050beacbf69a16903b63f3
SHA5128259b2fb74434fa32708632cd293416840d8125c4ff47ddc7e87d1fcbd7240d384f741fa2a191e0fbcde7dd9c74c37e058d1b9af906b40a128e657405dcce327
-
Filesize
11B
MD58503d7211d113c23e88234c87cd8d5f1
SHA12de184f9001169fe18fd6403001dba71228252e9
SHA256f41f54e8241724d962ce4ddd60bdd44ed17381a871cc4e388eeb13d121538f2d
SHA512ba0406bec23995d9d71f34827b8fbbd8a959e8fd62e577c8ca83e53d86db09ea4bd5f7d0722a1f5b27b422a35d7438d2511ca2c8e991ff2db28c9fe7ed99c826