e6ef6d892641baa67be0f687ba42eebfdb61ff05b5b5d13142d2937bcf9cb186

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
Size

461KB
MD5

68a6a6326e03ca9ff92982a92e6a90be
SHA1

2d8bbb9a623abf710c9fd2491f6095efa3e64833
SHA256

e6ef6d892641baa67be0f687ba42eebfdb61ff05b5b5d13142d2937bcf9cb186
SHA512

96dc781794c020fd43a242d889372df135c4b799c75d49a4dc12be4b83999db214f3659c1403963642b2d940f2356599f00721690e880264aacf1ba1a2ab77fb
SSDEEP

6144:S1VnJsnpYf++1rfn9jkj3ZuUVB6ErnF5NzR9QPJQW2vnbIrHnWn4nRmnOjgnI2J4:S1LByrZuG6Mt9QSWRHJGf927S2U4f

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2060	byyxx4agig5ijsloikq.exe
2872	witzhhyws.exe
2716	dtdyauhphqxa.exe
2648	witzhhyws.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
2872	witzhhyws.exe
2872	witzhhyws.exe
2060	byyxx4agig5ijsloikq.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ockqwhp\uxgwekie	witzhhyws.exe
File created	C:\Windows\ockqwhp\uxgwekie	dtdyauhphqxa.exe
File created	C:\Windows\ockqwhp\uxgwekie	witzhhyws.exe
File created	C:\Windows\ockqwhp\uxgwekie	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
File created	C:\Windows\ockqwhp\uxgwekie	byyxx4agig5ijsloikq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	witzhhyws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtdyauhphqxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byyxx4agig5ijsloikq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	witzhhyws.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe
2716	dtdyauhphqxa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2060	2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe	30
PID 2588 wrote to memory of 2060	2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe	30
PID 2588 wrote to memory of 2060	2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe	30
PID 2588 wrote to memory of 2060	2588	2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe	30
PID 2872 wrote to memory of 2716	2872	witzhhyws.exe	32
PID 2872 wrote to memory of 2716	2872	witzhhyws.exe	32
PID 2872 wrote to memory of 2716	2872	witzhhyws.exe	32
PID 2872 wrote to memory of 2716	2872	witzhhyws.exe	32
PID 2060 wrote to memory of 2648	2060	byyxx4agig5ijsloikq.exe	33
PID 2060 wrote to memory of 2648	2060	byyxx4agig5ijsloikq.exe	33
PID 2060 wrote to memory of 2648	2060	byyxx4agig5ijsloikq.exe	33
PID 2060 wrote to memory of 2648	2060	byyxx4agig5ijsloikq.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_68a6a6326e03ca9ff92982a92e6a90be_bkransomware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\ockqwhp\byyxx4agig5ijsloikq.exe
  "C:\ockqwhp\byyxx4agig5ijsloikq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\ockqwhp\witzhhyws.exe
    "C:\ockqwhp\witzhhyws.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2648

C:\ockqwhp\witzhhyws.exe
C:\ockqwhp\witzhhyws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\ockqwhp\dtdyauhphqxa.exe
  om8naakhozdd "c:\ockqwhp\witzhhyws.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ockqwhp\byyxx4agig5ijsloikq.exe

Filesize
461KB

MD5
68a6a6326e03ca9ff92982a92e6a90be

SHA1
2d8bbb9a623abf710c9fd2491f6095efa3e64833

SHA256
e6ef6d892641baa67be0f687ba42eebfdb61ff05b5b5d13142d2937bcf9cb186

SHA512
96dc781794c020fd43a242d889372df135c4b799c75d49a4dc12be4b83999db214f3659c1403963642b2d940f2356599f00721690e880264aacf1ba1a2ab77fb

Download Submit
C:\ockqwhp\uxgwekie

Filesize
6B

MD5
98267e01168756dbd6a798586c407bad

SHA1
8c1797baa3d2fd824b5c351f91b1fab78f5b42db

SHA256
32028932d444527d0031fc706b17b23b411069b4720c02cee6a347f784b20832

SHA512
139a2d4038bbf962f7c6820fb74469f0973a923807175d4d2644f97185ca5c24b00cfd387a666ff88ac1b5ae1d4a3eb1505a96d872491bab2e88e15a750dafbc

Download Submit