a5620cc4ba32d3c89d7ba9e245c5f62bd607f9f8446a3a1169600fa640fd6224

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe
Size

606KB
MD5

cd26fa78f1ffd0e529a04ec4403b6f28
SHA1

d44cb3ab04e572eea10fd9c9a531af58fc312101
SHA256

a5620cc4ba32d3c89d7ba9e245c5f62bd607f9f8446a3a1169600fa640fd6224
SHA512

10c990c9d4632e73e52b58769a06b101b719d27277f8cf1ab2cd74c1d2105214dc020b9175eea178db65df21c373b99bf708bc389cacc75d31d7dd4d355b8ab1
SSDEEP

12288:pjGDKEOdJb/rqM/rHTC920va4agXe/Z3uGEHM252/R62OMwu8:VGDKEO72amXWduGf25eR6Xn5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2776	hceymohdm.exe
2128	fxvbspdgm.exe
2712	hceymohdm.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	hceymohdm.exe
2776	hceymohdm.exe
1152	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\lmwowlhvlbpky\gurrinku	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe
File created	C:\Windows\lmwowlhvlbpky\gurrinku	hceymohdm.exe
File created	C:\Windows\lmwowlhvlbpky\gurrinku	fxvbspdgm.exe
File created	C:\Windows\lmwowlhvlbpky\gurrinku	hceymohdm.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hceymohdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxvbspdgm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	hceymohdm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe
2128	fxvbspdgm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2128	2776	hceymohdm.exe	32
PID 2776 wrote to memory of 2128	2776	hceymohdm.exe	32
PID 2776 wrote to memory of 2128	2776	hceymohdm.exe	32
PID 2776 wrote to memory of 2128	2776	hceymohdm.exe	32
PID 1152 wrote to memory of 2712	1152	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe	33
PID 1152 wrote to memory of 2712	1152	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe	33
PID 1152 wrote to memory of 2712	1152	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe	33
PID 1152 wrote to memory of 2712	1152	2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_cd26fa78f1ffd0e529a04ec4403b6f28_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\lmwowlhvlbpky\hceymohdm.exe
  "C:\lmwowlhvlbpky\hceymohdm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2712

C:\lmwowlhvlbpky\hceymohdm.exe
C:\lmwowlhvlbpky\hceymohdm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
- C:\lmwowlhvlbpky\fxvbspdgm.exe
  qmygxsrmr9tk "c:\lmwowlhvlbpky\hceymohdm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\lmwowlhvlbpky\gurrinku

Filesize
6B

MD5
8ba0ad98e0210bae8c6738654b1cb01d

SHA1
b4da58002c07cebd40f73e2c4e230a74604f359d

SHA256
841e7cbcfe8b8198d0f9ac2a701f261458c003a52b8c9b2fc29dad1e0b9c8d57

SHA512
051cb35962f652573e7ed0241a528bbb081cf519a2466ecbce472d5b526c6feb46e63254a84a30658b1d4ddd2abce01e2c859f4816186d5e23dd63d601d7796f

Download Submit
C:\lmwowlhvlbpky\hceymohdm.exe

Filesize
606KB

MD5
cd26fa78f1ffd0e529a04ec4403b6f28

SHA1
d44cb3ab04e572eea10fd9c9a531af58fc312101

SHA256
a5620cc4ba32d3c89d7ba9e245c5f62bd607f9f8446a3a1169600fa640fd6224

SHA512
10c990c9d4632e73e52b58769a06b101b719d27277f8cf1ab2cd74c1d2105214dc020b9175eea178db65df21c373b99bf708bc389cacc75d31d7dd4d355b8ab1

Download Submit