Overview

overview

10

Static

static

1

2024-10-12...re.exe

windows7-x64

10

2024-10-12...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 08:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_9a384d4d74cda4722a599c83ce02fb9d_bkransomware.exe

  • Size

    1.4MB

  • MD5

    9a384d4d74cda4722a599c83ce02fb9d

  • SHA1

    fa911bba4736879134afc00328186f719a44e4ae

  • SHA256

    10c0da1cbef8de3bd2d5853ce08bfa8859151488ab449888f69b6b84f5924c0d

  • SHA512

    6caaf8dca058eb7549ee51ac7d7d481b081f4f0ca0fe24910db187937134d41eeb9aa502afb47543007ddc2685e52297b105ae15dc0b90d6392a643463a2ce36

  • SSDEEP

    24576:E30bJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNnz1ccFvXmu:EES9+ApwXk1QE1RzsEQPaxHN3FvXV

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_9a384d4d74cda4722a599c83ce02fb9d_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_9a384d4d74cda4722a599c83ce02fb9d_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          151KB

          MD5

          faef0203548b6fd70605551b7a7bdfc3

          SHA1

          db8ef33b1d3a4a4159c34534cf3193789e2791ed

          SHA256

          8b1bf37591b043264694ed6c96289f51e0df9038a0283fc11befe6a70a020319

          SHA512

          affc88327326dc1f5b1b6dbac2cd8ebd3be9a5688de31b4016fdab8863f113b7c2d6ffef630abca48c7c6a2db23a2fa5c1af1e4473de2f4b7dcd3fffac67e39f

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\RCX56D9.tmp
          Filesize

          69KB

          MD5

          8ba404e90194c38541e324657e72f74c

          SHA1

          ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

          SHA256

          8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

          SHA512

          1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\S-1-5-21-312935884-697965778-3955649944-1000 .exe
          Filesize

          151KB

          MD5

          534128464ed7db8711091acc4686c69c

          SHA1

          a34a29652ff25deb827858af2328beae0f510452

          SHA256

          3fd4947fd8954447bbdbbabc09bbb7d9d6d224d003bbf9f4d59ec9bbf40f958a

          SHA512

          ea15228f92802dc5c57607f87a2473db889f1bfedb06c709d4545cea48cfc0b61106e0f741009ccc6c2145a272496188b9687e8453c4e91db1af5aa0ac9a61e8

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\WinrRarSerialInstall.exe
          Filesize

          71KB

          MD5

          76739ae3a4010a73b6410ad48b54cf4e

          SHA1

          7a0da9cba3ddecfa2b8ec4859db23a9f29f96b87

          SHA256

          2a6cafd63761974f8ac99240d459523eabb19c599cdad010990d04d890885b3e

          SHA512

          995d51daed4188b1ef605a3bb4269c94e5f650bec21f478a1806f1fda9c92e454f838436525cebf1d3064238f99a2c0fc360530b1c26a2538376211cc2861104

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\WinrRarSerialInstall.exe
          Filesize

          151KB

          MD5

          c71e41e3079c0602d0513d2f6ce6ba51

          SHA1

          1c054bb8968393ebd1191543ce2e34a71b0948b8

          SHA256

          6c7a7e8b1de4a982ff4dea1c6808591d9b0cfa4a9f7b2fcd04b39364162f31e1

          SHA512

          0501e85e92454bfe934b013a13dc325ffa76fced68a07179a753ec571d9529fad2fdd575d285045562016226da2395ea88104c0e8ddbbc0b4f1d91e82f332bbe

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          151KB

          MD5

          7b553e33fc701345866b746e0d6b0ad8

          SHA1

          8cba74d501daea9137c198ce1d423cd38fb5a1e4

          SHA256

          561433198df8ee14d2cf4a3a6260efc9cea6081d4069a4d622be27e7e070c8cc

          SHA512

          22e1f7c86f01964c1b645582d38cacdef15e48d3c1d90c8a8a5ed5a38e709ae603ebf85a7ea35115e1aa327bf565e9949074d727299227c87c744cd5180c6085

          Download Submit

        • \Users\tazebama.dl_
          Filesize

          151KB

          MD5

          6712f18682abd69935f87afb9a4deb00

          SHA1

          309cb0ab16d3fedaddd23b40ca6d0799ad9c59f8

          SHA256

          282bfe9631576170342014fb3f781596e381b98822d4f4d8769136a6a94419fa

          SHA512

          b742cb22d6bcf73f65d94b3e0b9a917359218a9567c04cef0d20e1dac549121c33c4fb569c642ca58556c62bd9b5d404f29e8866e006629b6ebaae138066508e

          Download Submit

        • \Users\tazebama.dll
          Filesize

          32KB

          MD5

          b6a03576e595afacb37ada2f1d5a0529

          SHA1

          d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

          SHA256

          1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

          SHA512

          181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

          Download Submit

        • memory/1648-11-0x00000000002A0000-0x00000000002B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1648-13-0x00000000002A0000-0x00000000002B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1648-14-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1648-12-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1648-3-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1648-118-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2436-509-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download