e06203ec570606b612e53884a99c919e93ae680692f2a098c2d70f59cb70efb8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe
Size

599KB
MD5

4a1bf476419484d4cb9c2ef1c7b11b0e
SHA1

4c1ac9e4f1db1629d877e3092a7e87877ef35ab5
SHA256

e06203ec570606b612e53884a99c919e93ae680692f2a098c2d70f59cb70efb8
SHA512

33302ab1a5f60f29aa60df49d6cab0df0bce8aecc7497c645b40e4ae2bfda11a109177ba3863215dcb47fed46abc2a111f6cb14584526320faba3fc7d442145b
SSDEEP

6144:1/Zbe13Hlxre+yOxtV+zEguVQfwxlAU4n3X/lcntqPGHbx1JjN:1Rbe3xa+5xtV3gukpU4n/lAtt7dN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4108	ijb53z9j82acypgjcqljw.exe
2792	jndfrlwkoww.exe
3372	mqlvfyah.exe
4968	jndfrlwkoww.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\sdbkitywphrenls\gr6o2l	2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe
File created	C:\Windows\sdbkitywphrenls\gr6o2l	ijb53z9j82acypgjcqljw.exe
File created	C:\Windows\sdbkitywphrenls\gr6o2l	jndfrlwkoww.exe
File created	C:\Windows\sdbkitywphrenls\gr6o2l	mqlvfyah.exe
File created	C:\Windows\sdbkitywphrenls\gr6o2l	jndfrlwkoww.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijb53z9j82acypgjcqljw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jndfrlwkoww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mqlvfyah.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	jndfrlwkoww.exe
2792	jndfrlwkoww.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe
3372	mqlvfyah.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4108	5020	2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe	83
PID 5020 wrote to memory of 4108	5020	2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe	83
PID 5020 wrote to memory of 4108	5020	2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe	83
PID 2792 wrote to memory of 3372	2792	jndfrlwkoww.exe	85
PID 2792 wrote to memory of 3372	2792	jndfrlwkoww.exe	85
PID 2792 wrote to memory of 3372	2792	jndfrlwkoww.exe	85
PID 4108 wrote to memory of 4968	4108	ijb53z9j82acypgjcqljw.exe	86
PID 4108 wrote to memory of 4968	4108	ijb53z9j82acypgjcqljw.exe	86
PID 4108 wrote to memory of 4968	4108	ijb53z9j82acypgjcqljw.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_4a1bf476419484d4cb9c2ef1c7b11b0e_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\sdbkitywphrenls\ijb53z9j82acypgjcqljw.exe
  "C:\sdbkitywphrenls\ijb53z9j82acypgjcqljw.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\sdbkitywphrenls\jndfrlwkoww.exe
    "C:\sdbkitywphrenls\jndfrlwkoww.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4968

C:\sdbkitywphrenls\jndfrlwkoww.exe
C:\sdbkitywphrenls\jndfrlwkoww.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\sdbkitywphrenls\mqlvfyah.exe
  bkplztm3j6sz "c:\sdbkitywphrenls\jndfrlwkoww.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\sdbkitywphrenls\gr6o2l

Filesize
7B

MD5
122a39d00783b0aeceedf4c8030185b6

SHA1
5ab4c7d80374a17aa99ef19fa2fc5def55895a87

SHA256
07cb79903b6df6a07cb7bd5c367eef308db2f856ed1516afba4933cea9713418

SHA512
f7332a1bd7d538f7470943de7f38d4babf2f26d9b89a0fb6a1501160846fc7458c01c807c1a81b582b32e826e09eadc247574867bdc1e1f07d3dfd300e3dd15d

Download Submit
C:\sdbkitywphrenls\ijb53z9j82acypgjcqljw.exe

Filesize
599KB

MD5
4a1bf476419484d4cb9c2ef1c7b11b0e

SHA1
4c1ac9e4f1db1629d877e3092a7e87877ef35ab5

SHA256
e06203ec570606b612e53884a99c919e93ae680692f2a098c2d70f59cb70efb8

SHA512
33302ab1a5f60f29aa60df49d6cab0df0bce8aecc7497c645b40e4ae2bfda11a109177ba3863215dcb47fed46abc2a111f6cb14584526320faba3fc7d442145b

Download Submit
C:\sdbkitywphrenls\twjqiuvz

Filesize
4B

MD5
9856b096adc14e09e015a9b2701c4d5a

SHA1
8d9940de3b8b572fc095465fff6d3b7a342c02bc

SHA256
235cedfb62a7a9fd73618c7a82b4ff342a7cee3f8941aa61648b31f626196944

SHA512
3b9a3cb4c57f646e5d5aa8175a29e84d8ea79b5478497423bfcc48717b55e701bf9e5b21cbede531e81fb8480ef0fb73a38082ce0f501cdbbc2c03f6c87a2fbe

Download Submit