4e5b292c452ce2f3995a772729403df6c6db544ec38b6011e2328326146c3178

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
Size

502KB
MD5

5a0baa63a45c7d14d6e4bc8369b4fdec
SHA1

72d577f56771ef770221f24188cbdcdc6f3799f9
SHA256

4e5b292c452ce2f3995a772729403df6c6db544ec38b6011e2328326146c3178
SHA512

f25fd0455563d84255a08343eb8075d8679cafb81373f66c3be0dcc4aa8b9ca495a7ed52016aab4da80384939f673e92c8ff435644113791d3586aaf735581ce
SSDEEP

12288:28G7Kt68z9BIpeyDoegR07c3Pl6rpxXOwlQWlG:2zKt68z9CpefRvl6rpxXLqWl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3012	khx4agmwhdpmy3elfsoke.exe
1164	zsnwdhzrod.exe
1160	gpccuyzf.exe
2868	zsnwdhzrod.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
1164	zsnwdhzrod.exe
1164	zsnwdhzrod.exe
3012	khx4agmwhdpmy3elfsoke.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\klqrutf\wvs1kbdsv5uj	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
File created	C:\Windows\klqrutf\wvs1kbdsv5uj	khx4agmwhdpmy3elfsoke.exe
File created	C:\Windows\klqrutf\wvs1kbdsv5uj	zsnwdhzrod.exe
File created	C:\Windows\klqrutf\wvs1kbdsv5uj	gpccuyzf.exe
File created	C:\Windows\klqrutf\wvs1kbdsv5uj	zsnwdhzrod.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsnwdhzrod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpccuyzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khx4agmwhdpmy3elfsoke.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	zsnwdhzrod.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe
1160	gpccuyzf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3012	2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe	30
PID 2420 wrote to memory of 3012	2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe	30
PID 2420 wrote to memory of 3012	2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe	30
PID 2420 wrote to memory of 3012	2420	2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe	30
PID 1164 wrote to memory of 1160	1164	zsnwdhzrod.exe	32
PID 1164 wrote to memory of 1160	1164	zsnwdhzrod.exe	32
PID 1164 wrote to memory of 1160	1164	zsnwdhzrod.exe	32
PID 1164 wrote to memory of 1160	1164	zsnwdhzrod.exe	32
PID 3012 wrote to memory of 2868	3012	khx4agmwhdpmy3elfsoke.exe	33
PID 3012 wrote to memory of 2868	3012	khx4agmwhdpmy3elfsoke.exe	33
PID 3012 wrote to memory of 2868	3012	khx4agmwhdpmy3elfsoke.exe	33
PID 3012 wrote to memory of 2868	3012	khx4agmwhdpmy3elfsoke.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_5a0baa63a45c7d14d6e4bc8369b4fdec_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\klqrutf\khx4agmwhdpmy3elfsoke.exe
  "C:\klqrutf\khx4agmwhdpmy3elfsoke.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\klqrutf\zsnwdhzrod.exe
    "C:\klqrutf\zsnwdhzrod.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2868

C:\klqrutf\zsnwdhzrod.exe
C:\klqrutf\zsnwdhzrod.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164
- C:\klqrutf\gpccuyzf.exe
  hfqg1gcfshur "c:\klqrutf\zsnwdhzrod.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\klqrutf\khx4agmwhdpmy3elfsoke.exe

Filesize
502KB

MD5
5a0baa63a45c7d14d6e4bc8369b4fdec

SHA1
72d577f56771ef770221f24188cbdcdc6f3799f9

SHA256
4e5b292c452ce2f3995a772729403df6c6db544ec38b6011e2328326146c3178

SHA512
f25fd0455563d84255a08343eb8075d8679cafb81373f66c3be0dcc4aa8b9ca495a7ed52016aab4da80384939f673e92c8ff435644113791d3586aaf735581ce

Download Submit
C:\klqrutf\wvs1kbdsv5uj

Filesize
12B

MD5
fd80ed1a6cc5cabaa4a1be92745b8b41

SHA1
61d5d6250a668304320f6b1e078cfa9a710a6d27

SHA256
92d52b31998d5161916c47dd7c15d23fd837ce0c5a99695c04a48054d8403b91

SHA512
fbc50113b783d4142b9ed34c31c9fee7a3a35c4d3d97d7aae07d1007759361382c290b6db6e28662155e98e7ca6a5a88d973a0a073bdb0cd2b29f5aebef48f6f

Download Submit