19a7cf86d6e9cee8d63cf2d3dfeb265b96c4fbef1dd029665339015c312ffbd9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 04:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe
Size

521KB
MD5

b9cad1b5042d64775eba7a1e2bf3c031
SHA1

e8339d0a47c40b5ad24c1c051f585f079c11df88
SHA256

19a7cf86d6e9cee8d63cf2d3dfeb265b96c4fbef1dd029665339015c312ffbd9
SHA512

830db80cfb168e56f9156fb70c773bbbbc5c2b6f7baee9378ca6c5d8dd84e2dd73b664cb6c4bb0c5302590a30e03dab61b91f93562df5d3f7ae14dbd1b69732a
SSDEEP

6144:n3YNPrHWx+/UEx3dnVrZZhI33TfHQ20V79C5WIqJe0VAHOGqGPFfphw8IM:nELWx+/Fx3nZg330f9lIqJe0VAv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1152	mgp3z9517zuylbkuwljmrg.exe
3112	jhptkqxprnle.exe
5032	mixafeqg.exe
5104	jhptkqxprnle.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\wjvazglr\mskavvgbl	jhptkqxprnle.exe
File created	C:\Windows\wjvazglr\mskavvgbl	mixafeqg.exe
File created	C:\Windows\wjvazglr\mskavvgbl	jhptkqxprnle.exe
File created	C:\Windows\wjvazglr\mskavvgbl	2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe
File created	C:\Windows\wjvazglr\mskavvgbl	mgp3z9517zuylbkuwljmrg.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgp3z9517zuylbkuwljmrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhptkqxprnle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixafeqg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	jhptkqxprnle.exe
3112	jhptkqxprnle.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe
5032	mixafeqg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1152	740	2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe	85
PID 740 wrote to memory of 1152	740	2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe	85
PID 740 wrote to memory of 1152	740	2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe	85
PID 3112 wrote to memory of 5032	3112	jhptkqxprnle.exe	88
PID 3112 wrote to memory of 5032	3112	jhptkqxprnle.exe	88
PID 3112 wrote to memory of 5032	3112	jhptkqxprnle.exe	88
PID 1152 wrote to memory of 5104	1152	mgp3z9517zuylbkuwljmrg.exe	89
PID 1152 wrote to memory of 5104	1152	mgp3z9517zuylbkuwljmrg.exe	89
PID 1152 wrote to memory of 5104	1152	mgp3z9517zuylbkuwljmrg.exe	89

C:\Users\Admin\AppData\Local\Temp\2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_b9cad1b5042d64775eba7a1e2bf3c031_bkransomware.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740
- C:\wjvazglr\mgp3z9517zuylbkuwljmrg.exe
  "C:\wjvazglr\mgp3z9517zuylbkuwljmrg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\wjvazglr\jhptkqxprnle.exe
    "C:\wjvazglr\jhptkqxprnle.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5104

C:\wjvazglr\jhptkqxprnle.exe
C:\wjvazglr\jhptkqxprnle.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\wjvazglr\mixafeqg.exe
  stnypa0susgj "c:\wjvazglr\jhptkqxprnle.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\wjvazglr\mgp3z9517zuylbkuwljmrg.exe

Filesize
521KB

MD5
b9cad1b5042d64775eba7a1e2bf3c031

SHA1
e8339d0a47c40b5ad24c1c051f585f079c11df88

SHA256
19a7cf86d6e9cee8d63cf2d3dfeb265b96c4fbef1dd029665339015c312ffbd9

SHA512
830db80cfb168e56f9156fb70c773bbbbc5c2b6f7baee9378ca6c5d8dd84e2dd73b664cb6c4bb0c5302590a30e03dab61b91f93562df5d3f7ae14dbd1b69732a

Download Submit
C:\wjvazglr\mskavvgbl

Filesize
10B

MD5
d228d40b98676a8ede3eb862cb9b6965

SHA1
3480a3ac8d7bfd9d26d31b65d555e9ce45377474

SHA256
8d50fb2060a6fe5059dc15a825b5133a33ba56cdfc6c5c214fb77946cea51f6f

SHA512
63b4413f9522743b79417b771a616f94538fb958aa9fe1f992223c340b291aa242114ace05da5dc97e1fcfcc666adb14d3a4d16877b615686fbc6c5d301cbc8d

Download Submit