1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
Size

588KB
MD5

316a72174f0b49b8dbca02cf47f5a8c9
SHA1

e5c3ebaf8ca202f506e4dd8156fd246fc2d2bca1
SHA256

1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2
SHA512

ba739dd24a7c8fcb8725a2b3dc3bcf6cfd0d239208cfa0fa22716722a62901fa0ae8dbd296afe650f15b240e8523ea3a041577d75e81620a3e022ce665eee86b
SSDEEP

12288:oO7gxJOeF5niCosYxsYS9BT5yH0maoUajx6CjlrJQ0BGgb:oOMxJLF5Mh2YSPT5nmRUaNRJQQb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1140	bh3z9jwdecatr1zoqbx.exe
2740	lzbglmlfzvg.exe
232	jctwobgkrhs.exe
4392	lzbglmlfzvg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	bh3z9jwdecatr1zoqbx.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	lzbglmlfzvg.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	jctwobgkrhs.exe
File created	C:\Windows\dmwtwpu\khtvrxhsmpze	lzbglmlfzvg.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bh3z9jwdecatr1zoqbx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzbglmlfzvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jctwobgkrhs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	lzbglmlfzvg.exe
2740	lzbglmlfzvg.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe
232	jctwobgkrhs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1140	1896	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	84
PID 1896 wrote to memory of 1140	1896	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	84
PID 1896 wrote to memory of 1140	1896	2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe	84
PID 2740 wrote to memory of 232	2740	lzbglmlfzvg.exe	86
PID 2740 wrote to memory of 232	2740	lzbglmlfzvg.exe	86
PID 2740 wrote to memory of 232	2740	lzbglmlfzvg.exe	86
PID 1140 wrote to memory of 4392	1140	bh3z9jwdecatr1zoqbx.exe	87
PID 1140 wrote to memory of 4392	1140	bh3z9jwdecatr1zoqbx.exe	87
PID 1140 wrote to memory of 4392	1140	bh3z9jwdecatr1zoqbx.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_316a72174f0b49b8dbca02cf47f5a8c9_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\dmwtwpu\bh3z9jwdecatr1zoqbx.exe
  "C:\dmwtwpu\bh3z9jwdecatr1zoqbx.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\dmwtwpu\lzbglmlfzvg.exe
    "C:\dmwtwpu\lzbglmlfzvg.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4392

C:\dmwtwpu\lzbglmlfzvg.exe
C:\dmwtwpu\lzbglmlfzvg.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\dmwtwpu\jctwobgkrhs.exe
  nukvwmhmzcgn "c:\dmwtwpu\lzbglmlfzvg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dmwtwpu\bh3z9jwdecatr1zoqbx.exe

Filesize
588KB

MD5
316a72174f0b49b8dbca02cf47f5a8c9

SHA1
e5c3ebaf8ca202f506e4dd8156fd246fc2d2bca1

SHA256
1cf05c2631ff179ecd0c3467dc660f4a0629a29cf4c069e5446cad8a06706fb2

SHA512
ba739dd24a7c8fcb8725a2b3dc3bcf6cfd0d239208cfa0fa22716722a62901fa0ae8dbd296afe650f15b240e8523ea3a041577d75e81620a3e022ce665eee86b

Download Submit
C:\dmwtwpu\khtvrxhsmpze

Filesize
12B

MD5
03ebc6ff8d35e01933ed09aa0820baee

SHA1
d34505e7b60551c409e9194c4ea9483aa4887f0d

SHA256
9aab02957536c65572bfe2d3544fe6036e619fdffb1413d38d739df44aeddbb7

SHA512
38612e52576f7f81ba02f3faf27c4c66a7e6e10de3ce32793c350978d69a03ad1ff4933949dd866c009638d36f28f78f0a82587634a4765d6b2b6fe952abefd1

Download Submit