ca69803ccacca761ea01ed4316e6ae7ca3c23a7d4869eafaf79e47c630dda842

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe
Size

507KB
MD5

3aa408e062e8242f6f1b6e2ec32bd9b6
SHA1

bf0d9687326191dec26901ba9cd74cbfffe99b47
SHA256

ca69803ccacca761ea01ed4316e6ae7ca3c23a7d4869eafaf79e47c630dda842
SHA512

26013fd1fc8f685b77f35bd4bb5e7628c04d386cbff4072f6b07851c65595be19c833964ae67ba05a6e264a749e7e8160fc4c8e9a6f4ad01ffbdc50fb569a5bd
SSDEEP

12288:pLRdL+d22j/4xvDITOaHcuSpMSYSRB71Skg4n:9PL+d22j/uITOaHzSujSr1Skg4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2236	fp4agqo4ij9zd1ou8ad.exe
2316	ebdyrdiupvq.exe
1708	czobiuifm.exe
2804	ebdyrdiupvq.exe

Loads dropped DLL 5 IoCs

pid	Process
2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe
2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe
2316	ebdyrdiupvq.exe
2316	ebdyrdiupvq.exe
2236	fp4agqo4ij9zd1ou8ad.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\edhembjmfzxqtev\ui4rlya	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe
File created	C:\Windows\edhembjmfzxqtev\ui4rlya	fp4agqo4ij9zd1ou8ad.exe
File created	C:\Windows\edhembjmfzxqtev\ui4rlya	ebdyrdiupvq.exe
File created	C:\Windows\edhembjmfzxqtev\ui4rlya	czobiuifm.exe
File created	C:\Windows\edhembjmfzxqtev\ui4rlya	ebdyrdiupvq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebdyrdiupvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czobiuifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fp4agqo4ij9zd1ou8ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	ebdyrdiupvq.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe
1708	czobiuifm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2236	2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe	30
PID 2304 wrote to memory of 2236	2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe	30
PID 2304 wrote to memory of 2236	2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe	30
PID 2304 wrote to memory of 2236	2304	2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe	30
PID 2316 wrote to memory of 1708	2316	ebdyrdiupvq.exe	32
PID 2316 wrote to memory of 1708	2316	ebdyrdiupvq.exe	32
PID 2316 wrote to memory of 1708	2316	ebdyrdiupvq.exe	32
PID 2316 wrote to memory of 1708	2316	ebdyrdiupvq.exe	32
PID 2236 wrote to memory of 2804	2236	fp4agqo4ij9zd1ou8ad.exe	33
PID 2236 wrote to memory of 2804	2236	fp4agqo4ij9zd1ou8ad.exe	33
PID 2236 wrote to memory of 2804	2236	fp4agqo4ij9zd1ou8ad.exe	33
PID 2236 wrote to memory of 2804	2236	fp4agqo4ij9zd1ou8ad.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_3aa408e062e8242f6f1b6e2ec32bd9b6_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\edhembjmfzxqtev\fp4agqo4ij9zd1ou8ad.exe
  "C:\edhembjmfzxqtev\fp4agqo4ij9zd1ou8ad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\edhembjmfzxqtev\ebdyrdiupvq.exe
    "C:\edhembjmfzxqtev\ebdyrdiupvq.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2804

C:\edhembjmfzxqtev\ebdyrdiupvq.exe
C:\edhembjmfzxqtev\ebdyrdiupvq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\edhembjmfzxqtev\czobiuifm.exe
  t3qoshudftzw "c:\edhembjmfzxqtev\ebdyrdiupvq.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\edhembjmfzxqtev\ui4rlya

Filesize
6B

MD5
bffa6e0164b3b29c395f48745fca55df

SHA1
2c08de055ca720d4c9beec757458ba211dd418b5

SHA256
1491d5e9da9d9b08fa8526ee98e5d04668aac5a9d2362f390d81352b8901dbae

SHA512
66944cb311bc8aaf8c278e706d0acd0f618d5ff6bc17969e674c084f646f9ff2765d2db53f22af6565ab76aa225501456b17956398d0e75b1bc3edee7bdfcf47

Download Submit
\edhembjmfzxqtev\fp4agqo4ij9zd1ou8ad.exe

Filesize
507KB

MD5
3aa408e062e8242f6f1b6e2ec32bd9b6

SHA1
bf0d9687326191dec26901ba9cd74cbfffe99b47

SHA256
ca69803ccacca761ea01ed4316e6ae7ca3c23a7d4869eafaf79e47c630dda842

SHA512
26013fd1fc8f685b77f35bd4bb5e7628c04d386cbff4072f6b07851c65595be19c833964ae67ba05a6e264a749e7e8160fc4c8e9a6f4ad01ffbdc50fb569a5bd

Download Submit