6e029c517f8bcb6e57a9f739a5b69b8dec035fbff6634b44e1639583823882b3

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
Size

511KB
MD5

5d5429974341d4a3fe101a5002574e54
SHA1

637b505409ee8a5c103f264a993db02fa4eefaee
SHA256

6e029c517f8bcb6e57a9f739a5b69b8dec035fbff6634b44e1639583823882b3
SHA512

db7d1e3a1d0a181d558a4d77cefce5175cc42e0350783c1a34eed2a2d4fe521c961d2c44332414a46e7905679eb9aa00fd9084094c9fadd39d243229e6ca38ad
SSDEEP

6144:3YwXP30ywxeLmG0wF/nhmqSZdD3BH1EqfWuaHryLeZ+jYoc380Qovsa0PK3o:3JMP9wFvhCZNd1KrWLeDow80Q8z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2724	w2xcb4ahemgysjegrbrryhm.exe
2620	whkkjdsxkgjm.exe
2628	xtlanpxgcqdd.exe
2520	whkkjdsxkgjm.exe

Loads dropped DLL 5 IoCs

pid	Process
3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
2620	whkkjdsxkgjm.exe
2620	whkkjdsxkgjm.exe
2724	w2xcb4ahemgysjegrbrryhm.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ovohjcdywpihne\itzi3ok	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
File created	C:\Windows\ovohjcdywpihne\itzi3ok	w2xcb4ahemgysjegrbrryhm.exe
File created	C:\Windows\ovohjcdywpihne\itzi3ok	whkkjdsxkgjm.exe
File created	C:\Windows\ovohjcdywpihne\itzi3ok	xtlanpxgcqdd.exe
File created	C:\Windows\ovohjcdywpihne\itzi3ok	whkkjdsxkgjm.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whkkjdsxkgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtlanpxgcqdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w2xcb4ahemgysjegrbrryhm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	whkkjdsxkgjm.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe
2628	xtlanpxgcqdd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2724	3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe	30
PID 3028 wrote to memory of 2724	3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe	30
PID 3028 wrote to memory of 2724	3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe	30
PID 3028 wrote to memory of 2724	3028	2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe	30
PID 2620 wrote to memory of 2628	2620	whkkjdsxkgjm.exe	32
PID 2620 wrote to memory of 2628	2620	whkkjdsxkgjm.exe	32
PID 2620 wrote to memory of 2628	2620	whkkjdsxkgjm.exe	32
PID 2620 wrote to memory of 2628	2620	whkkjdsxkgjm.exe	32
PID 2724 wrote to memory of 2520	2724	w2xcb4ahemgysjegrbrryhm.exe	33
PID 2724 wrote to memory of 2520	2724	w2xcb4ahemgysjegrbrryhm.exe	33
PID 2724 wrote to memory of 2520	2724	w2xcb4ahemgysjegrbrryhm.exe	33
PID 2724 wrote to memory of 2520	2724	w2xcb4ahemgysjegrbrryhm.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_5d5429974341d4a3fe101a5002574e54_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\ovohjcdywpihne\w2xcb4ahemgysjegrbrryhm.exe
  "C:\ovohjcdywpihne\w2xcb4ahemgysjegrbrryhm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\ovohjcdywpihne\whkkjdsxkgjm.exe
    "C:\ovohjcdywpihne\whkkjdsxkgjm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2520

C:\ovohjcdywpihne\whkkjdsxkgjm.exe
C:\ovohjcdywpihne\whkkjdsxkgjm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620
- C:\ovohjcdywpihne\xtlanpxgcqdd.exe
  ohggl9iv4ydq "c:\ovohjcdywpihne\whkkjdsxkgjm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ovohjcdywpihne\itzi3ok

Filesize
8B

MD5
c90a9c1fba3514332c02b4b36fd71b28

SHA1
f1bdec5ad3cabccb8cabf3482ebf5a1268f25dfd

SHA256
54e2f24bac02689612530d991cd613af811f327c3abae5282afa0e56d4ea17ca

SHA512
73041ac6618654f474fcdef774b58dfb672508c514c94bbc51e90ef2a4d668cdd402b8024d5f52d2fd9c189c3430d37b5db4b3740cd32a63872be5af02327d57

Download Submit
\ovohjcdywpihne\w2xcb4ahemgysjegrbrryhm.exe

Filesize
511KB

MD5
5d5429974341d4a3fe101a5002574e54

SHA1
637b505409ee8a5c103f264a993db02fa4eefaee

SHA256
6e029c517f8bcb6e57a9f739a5b69b8dec035fbff6634b44e1639583823882b3

SHA512
db7d1e3a1d0a181d558a4d77cefce5175cc42e0350783c1a34eed2a2d4fe521c961d2c44332414a46e7905679eb9aa00fd9084094c9fadd39d243229e6ca38ad

Download Submit