1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
Size

588KB
MD5

316a72174f0b49b8dbca02cf47f5a8c9
SHA1

e5c3ebaf8ca202f506e4dd8156fd246fc2d2bca1
SHA256

1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2
SHA512

ba739dd24a7c8fcb8725a2b3dc3bcf6cfd0d239208cfa0fa22716722a62901fa0ae8dbd296afe650f15b240e8523ea3a041577d75e81620a3e022ce665eee86b
SSDEEP

12288:oO7gxJOeF5niCosYxsYS9BT5yH0maoUajx6CjlrJQ0BGgb:oOMxJLF5Mh2YSPT5nmRUaNRJQQb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2388	bh4agonrecatr1zoqbx.exe
1508	lzbglmlfzvg.exe
2104	jctwobgkrhs.exe
2856	lzbglmlfzvg.exe

Loads dropped DLL 6 IoCs

pid	Process
2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
1508	lzbglmlfzvg.exe
1508	lzbglmlfzvg.exe
2388	bh4agonrecatr1zoqbx.exe
2388	bh4agonrecatr1zoqbx.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	lzbglmlfzvg.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	jctwobgkrhs.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	lzbglmlfzvg.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	bh4agonrecatr1zoqbx.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzbglmlfzvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jctwobgkrhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bh4agonrecatr1zoqbx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	lzbglmlfzvg.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe
2104	jctwobgkrhs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2388	2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	30
PID 2128 wrote to memory of 2388	2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	30
PID 2128 wrote to memory of 2388	2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	30
PID 2128 wrote to memory of 2388	2128	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	30
PID 1508 wrote to memory of 2104	1508	lzbglmlfzvg.exe	32
PID 1508 wrote to memory of 2104	1508	lzbglmlfzvg.exe	32
PID 1508 wrote to memory of 2104	1508	lzbglmlfzvg.exe	32
PID 1508 wrote to memory of 2104	1508	lzbglmlfzvg.exe	32
PID 2388 wrote to memory of 2856	2388	bh4agonrecatr1zoqbx.exe	33
PID 2388 wrote to memory of 2856	2388	bh4agonrecatr1zoqbx.exe	33
PID 2388 wrote to memory of 2856	2388	bh4agonrecatr1zoqbx.exe	33
PID 2388 wrote to memory of 2856	2388	bh4agonrecatr1zoqbx.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\dmwtwpu\bh4agonrecatr1zoqbx.exe
  "C:\dmwtwpu\bh4agonrecatr1zoqbx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\dmwtwpu\lzbglmlfzvg.exe
    "C:\dmwtwpu\lzbglmlfzvg.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2856

C:\dmwtwpu\lzbglmlfzvg.exe
C:\dmwtwpu\lzbglmlfzvg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508
- C:\dmwtwpu\jctwobgkrhs.exe
  nukvwmhmzcgn "c:\dmwtwpu\lzbglmlfzvg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dmwtwpu\khtvrxhsmpze

Filesize
12B

MD5
03ebc6ff8d35e01933ed09aa0820baee

SHA1
d34505e7b60551c409e9194c4ea9483aa4887f0d

SHA256
9aab02957536c65572bfe2d3544fe6036e619fdffb1413d38d739df44aeddbb7

SHA512
38612e52576f7f81ba02f3faf27c4c66a7e6e10de3ce32793c350978d69a03ad1ff4933949dd866c009638d36f28f78f0a82587634a4765d6b2b6fe952abefd1

Download Submit
\dmwtwpu\bh4agonrecatr1zoqbx.exe

Filesize
588KB

MD5
316a72174f0b49b8dbca02cf47f5a8c9

SHA1
e5c3ebaf8ca202f506e4dd8156fd246fc2d2bca1

SHA256
1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2

SHA512
ba739dd24a7c8fcb8725a2b3dc3bcf6cfd0d239208cfa0fa22716722a62901fa0ae8dbd296afe650f15b240e8523ea3a041577d75e81620a3e022ce665eee86b

Download Submit