Overview

overview

7

Static

static

3

2024-04-27...re.exe

windows7-x64

7

2024-04-27...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-27_0ab50fc1bcfa77f0d869163f37ba8a3e_bkransomware.exe

  • Size

    595KB

  • MD5

    0ab50fc1bcfa77f0d869163f37ba8a3e

  • SHA1

    9b230b595da73625cae0cca885a034a313bcacbb

  • SHA256

    7bc1890b42de0a1bbf639ef4e4f4f5a930165ea96ad3202cb97fbfd7a3740296

  • SHA512

    c82dec3397328b48182c0370e8c84181add38cebab20569f8918d3bda09836fd80928fbc9d5cf8f1e7501971aacfa9600fdc8ce74a52049b35acdefa7699d3e9

  • SSDEEP

    12288:hS0vhAa34ZfPuPiBpFT4bXheyv56zaEyEmVb/O2edK/3xBuI803:DvhgtGGWLE66zaEyEADSE3

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-27_0ab50fc1bcfa77f0d869163f37ba8a3e_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-27_0ab50fc1bcfa77f0d869163f37ba8a3e_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\AtkeVAJiLncEeAC.exe
      C:\Users\Admin\AppData\Local\Temp\AtkeVAJiLncEeAC.exe
      2⤵
      • Executes dropped EXE
      PID:2984
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AtkeVAJiLncEeAC.exe
    Filesize

    595KB

    MD5

    67f6d6b8d0d2fa6b8eda397718193830

    SHA1

    de67d8c68015e84cc65ba807804ae2f8cc81377a

    SHA256

    c6bbce91206adea3f6db93450d2e204d74d3c33b0ba010d72971d070ee2921cb

    SHA512

    1af2dad12ae279108c44e5bebca10e36acace35fcd467d8562d8f72e5b2de29984553726548fbd4c80ba9c2fbcb4d85a57b21322cc8f426effdafc9fe48d15a5

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AtkeVAJiLncEeAC.exe
    Filesize

    524KB

    MD5

    645d5875c0ce2052d93943c62238a06e

    SHA1

    38c00dfaa6e0192e1157212d5baf42a8db869776

    SHA256

    66ef54018ef1207394bef76bcb0411f2fbbedd6230a812026bf8f1710218dbf9

    SHA512

    eb9654b527ddc15fae042ef6fa6b8a25f76c2fc21314abd1d629bac5066cfa11d9f3c1191150dc7784b20e5e47c4855ab97d34fadf904989a7a43ccd626949fe

    Download Submit