35751943f6401cd249c42a3b5ca7bc5476fc464809a0812c331df5c03df782f3

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
Size

593KB
MD5

ea5b1291b9c496d77cca4a883a44aedd
SHA1

0de62250ccc7c58fc6ed0507499a726ef50804d8
SHA256

35751943f6401cd249c42a3b5ca7bc5476fc464809a0812c331df5c03df782f3
SHA512

18df3bfa6baf57292ed4492f527fd5c3be40cefe5fe66261f585b7ecd2c5cf33c40c7b460136e94cabb217bbfb4bb336138d3ca7fca74b48aa85a6ad588c2e90
SSDEEP

12288:5aCDS+0w6j4UjdqqEA/3/fX3c77odSyunYrH23uZwx:5aCDS+0JjzdfEk3/fXm7odJrrW+E

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2196	qut4ah2y4hlxjtebwn.exe
2796	mxpgsqwqnzb.exe
2564	cgrmhyzq.exe
2604	mxpgsqwqnzb.exe

Loads dropped DLL 5 IoCs

pid	Process
3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
2796	mxpgsqwqnzb.exe
2796	mxpgsqwqnzb.exe
2196	qut4ah2y4hlxjtebwn.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rjrprvjxfuberkk\cha6ayihzpn	mxpgsqwqnzb.exe
File created	C:\Windows\rjrprvjxfuberkk\cha6ayihzpn	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
File created	C:\Windows\rjrprvjxfuberkk\cha6ayihzpn	qut4ah2y4hlxjtebwn.exe
File created	C:\Windows\rjrprvjxfuberkk\cha6ayihzpn	mxpgsqwqnzb.exe
File created	C:\Windows\rjrprvjxfuberkk\cha6ayihzpn	cgrmhyzq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qut4ah2y4hlxjtebwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxpgsqwqnzb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgrmhyzq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	mxpgsqwqnzb.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe
2564	cgrmhyzq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2196	3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe	30
PID 3060 wrote to memory of 2196	3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe	30
PID 3060 wrote to memory of 2196	3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe	30
PID 3060 wrote to memory of 2196	3060	2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe	30
PID 2796 wrote to memory of 2564	2796	mxpgsqwqnzb.exe	32
PID 2796 wrote to memory of 2564	2796	mxpgsqwqnzb.exe	32
PID 2796 wrote to memory of 2564	2796	mxpgsqwqnzb.exe	32
PID 2796 wrote to memory of 2564	2796	mxpgsqwqnzb.exe	32
PID 2196 wrote to memory of 2604	2196	qut4ah2y4hlxjtebwn.exe	33
PID 2196 wrote to memory of 2604	2196	qut4ah2y4hlxjtebwn.exe	33
PID 2196 wrote to memory of 2604	2196	qut4ah2y4hlxjtebwn.exe	33
PID 2196 wrote to memory of 2604	2196	qut4ah2y4hlxjtebwn.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_ea5b1291b9c496d77cca4a883a44aedd_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\rjrprvjxfuberkk\qut4ah2y4hlxjtebwn.exe
  "C:\rjrprvjxfuberkk\qut4ah2y4hlxjtebwn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\rjrprvjxfuberkk\mxpgsqwqnzb.exe
    "C:\rjrprvjxfuberkk\mxpgsqwqnzb.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2604

C:\rjrprvjxfuberkk\mxpgsqwqnzb.exe
C:\rjrprvjxfuberkk\mxpgsqwqnzb.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\rjrprvjxfuberkk\cgrmhyzq.exe
  hrdyguvmszhk "c:\rjrprvjxfuberkk\mxpgsqwqnzb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\rjrprvjxfuberkk\cha6ayihzpn

Filesize
9B

MD5
488a36e5a549b4a97a836a5b660ae4f5

SHA1
505fe43c0c08103a08539b2925baa2f90e525858

SHA256
d2613ce591e5a8e5a755f64c7c9ee11ceac0d12e8eb38d39ff230d15a5ddd53b

SHA512
2a2bbec30cbf9d65c04f3ce0997e0063d40d8583d9ce40d3209318b368bf36f6cc8ebfa3a716eceb77d4e7cb9a9576359bb9c90bd60fbeb9adf2ba40e60269bc

Download Submit
\rjrprvjxfuberkk\qut4ah2y4hlxjtebwn.exe

Filesize
593KB

MD5
ea5b1291b9c496d77cca4a883a44aedd

SHA1
0de62250ccc7c58fc6ed0507499a726ef50804d8

SHA256
35751943f6401cd249c42a3b5ca7bc5476fc464809a0812c331df5c03df782f3

SHA512
18df3bfa6baf57292ed4492f527fd5c3be40cefe5fe66261f585b7ecd2c5cf33c40c7b460136e94cabb217bbfb4bb336138d3ca7fca74b48aa85a6ad588c2e90

Download Submit