445e7de052a6d4e8fa7c006ff79e339a71501cb2d7af13504ce89b862749e1dc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe
Size

561KB
MD5

801e2db19f06b7d040622e025ee65fe8
SHA1

28278e34cb63a84d2fc4766c622efd1d27550ab9
SHA256

445e7de052a6d4e8fa7c006ff79e339a71501cb2d7af13504ce89b862749e1dc
SHA512

f8d940cc3c31d76f129f79a610adfbaeb1b5a3794972f6f6243ac76309591a6f19b675d771d7f7660616998f7f275f560747232274c70567ef5cbeec8d1fa2a7
SSDEEP

12288:hvxDSTfEmv7AIYL02E1OnYfYemWdEI71dbehS8G4n3W3Rf:hv9GfE7IY42KpfYemip1YS94QRf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1416	o9pum3z9c4faadeebizws.exe
708	usvgmwk.exe
2144	rtpmcdaovb.exe
3320	usvgmwk.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tqmkajnek\piqwgknxt	2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe
File created	C:\Windows\tqmkajnek\piqwgknxt	o9pum3z9c4faadeebizws.exe
File created	C:\Windows\tqmkajnek\piqwgknxt	usvgmwk.exe
File created	C:\Windows\tqmkajnek\piqwgknxt	rtpmcdaovb.exe
File created	C:\Windows\tqmkajnek\piqwgknxt	usvgmwk.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtpmcdaovb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o9pum3z9c4faadeebizws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usvgmwk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
708	usvgmwk.exe
708	usvgmwk.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe
2144	rtpmcdaovb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1416	2820	2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe	83
PID 2820 wrote to memory of 1416	2820	2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe	83
PID 2820 wrote to memory of 1416	2820	2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe	83
PID 708 wrote to memory of 2144	708	usvgmwk.exe	86
PID 708 wrote to memory of 2144	708	usvgmwk.exe	86
PID 708 wrote to memory of 2144	708	usvgmwk.exe	86
PID 1416 wrote to memory of 3320	1416	o9pum3z9c4faadeebizws.exe	90
PID 1416 wrote to memory of 3320	1416	o9pum3z9c4faadeebizws.exe	90
PID 1416 wrote to memory of 3320	1416	o9pum3z9c4faadeebizws.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_801e2db19f06b7d040622e025ee65fe8_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\tqmkajnek\o9pum3z9c4faadeebizws.exe
  "C:\tqmkajnek\o9pum3z9c4faadeebizws.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\tqmkajnek\usvgmwk.exe
    "C:\tqmkajnek\usvgmwk.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3320

C:\tqmkajnek\usvgmwk.exe
C:\tqmkajnek\usvgmwk.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708
- C:\tqmkajnek\rtpmcdaovb.exe
  uxse7asfn1b9 "c:\tqmkajnek\usvgmwk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tqmkajnek\o9pum3z9c4faadeebizws.exe

Filesize
561KB

MD5
801e2db19f06b7d040622e025ee65fe8

SHA1
28278e34cb63a84d2fc4766c622efd1d27550ab9

SHA256
445e7de052a6d4e8fa7c006ff79e339a71501cb2d7af13504ce89b862749e1dc

SHA512
f8d940cc3c31d76f129f79a610adfbaeb1b5a3794972f6f6243ac76309591a6f19b675d771d7f7660616998f7f275f560747232274c70567ef5cbeec8d1fa2a7

Download Submit
C:\tqmkajnek\piqwgknxt

Filesize
10B

MD5
4f570612c43ce98e49763a021b3abe30

SHA1
390d178194e39c4564aee1c26a1dfb54e3c5b6a9

SHA256
dcc095d10d0ea406aac17805c8fe2dbc71f7e3ed9b799e3eb65aad6d68710acc

SHA512
5668142e96a012b653e4f62a63ed245506101e74e3f04f66b533b09502b5943d180861e8dfa67751aca2b872ea85cf62f6feb5e25faaed9f62d8931e2069ec51

Download Submit