File name:	2025-01-10_eb12a4e10b158809d6655977ade7d9f5_bkransomware_floxif
Full analysis:	https://app.any.run/tasks/3d0210bc-b54b-4991-95ca-0e1f8b76a670
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 18:17:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	EB12A4E10B158809D6655977ADE7D9F5
SHA1:	6BA15AC48E6A6ABD26D54D877D7722078D8EAF18
SHA256:	D89A95E276692F1B4D4F4CE78F027E9E9FF7992283F1F5A27BFE8078595F13B4
SSDEEP:	98304:+o+twheJ2PbOmaREeAVWxOPoTkbrUzhs+D50:/QW

.exe	\|	InstallShield setup (54.3)
.exe	\|	Win64 Executable (generic) (34.8)
.exe	\|	Win32 Executable (generic) (5.6)
.exe	\|	Generic Win/DOS Executable (2.5)
.exe	\|	DOS Executable Generic (2.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:09 09:25:37+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	1408512
InitializedDataSize:	1824768
UninitializedDataSize:	-
EntryPoint:	0x12e27e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	11.0.0.4
ProductVersionNumber:	11.0.0.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Process default
CharacterSet:	Unicode
Comments:	Setup
FileDescription:	Setup
InternalName:	Setup.exe
CompanyName:	Hancom Inc.
LegalCopyright:	Copyright 1989. Hancom Inc. All rights reserved
LegalTrademarks:	Setup is a registered trademark of Hancom Inc.
OriginalFileName:	Setup.exe
ProductName:	Setup
FileVersion:	11.0.0.4
ProductVersion:	11.0.0.4

PID	Process	Filename		Type
2828	2025-01-10_eb12a4e10b158809d6655977ade7d9f5_bkransomware_floxif.exe	C:\Program Files\Common Files\System\symsrv.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.238	whitelisted
self.events.data.microsoft.com	20.42.73.30	whitelisted

General Info

2025-01-10_eb12a4e10b158809d6655977ade7d9f5_bkransomware_floxif

EB12A4E10B158809D6655977ADE7D9F5

6BA15AC48E6A6ABD26D54D877D7722078D8EAF18

D89A95E276692F1B4D4F4CE78F027E9E9FF7992283F1F5A27BFE8078595F13B4

98304:+o+twheJ2PbOmaREeAVWxOPoTkbrUzhs+D50:/QW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Creates files in the program directory

The sample compiled with english language support

Checks supported languages

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings