Overview

overview

7

Static

static

3

2024-04-28...re.exe

windows7-x64

7

2024-04-28...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe

  • Size

    2.2MB

  • MD5

    31399e198b2142c8720172842e3af5b8

  • SHA1

    84e8a94e6b4595bc72b213b0fcb28f5675186118

  • SHA256

    4fd90ae17a33d64776141defd5f10af0d7a20af1ab087e179b6447120f786460

  • SHA512

    99298abd14eafd1c546108976bf21276401ba37d7e95f8ba035f496b1be9104d597358ed18d0ea57bd7db392265a7ef13642c4a1b8f7264a5ceceb3ed500e337

  • SSDEEP

    49152:DJKRJh28dl5VzMrSzR3zibwbCTYehyLDvarb3:DJabl5TzRjiZTci

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exe
      C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exe
      2⤵
      • Executes dropped EXE
      • Checks system information in the registry
      PID:3876
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4424

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
      Filesize

      789KB

      MD5

      94537ab25316e39a56705c6dc0c5e6a7

      SHA1

      1e84f66771fd3a8676bb81cefcf2b915fd56db99

      SHA256

      1273cd564cde0a22e8435d1e95fa87a4852fd70706a1d9ff951f3773a0c2c963

      SHA512

      d2dafb163f792efd848db166bea942f7a1a62d85c94b333a396d51489d7b4caf5bbcf417c1e61707d5c7fb5bf453258305e09bd3bb6b14472dc05b39020971b8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exe
      Filesize

      2.2MB

      MD5

      20ea602903cfbe6a29f3de5195dd968d

      SHA1

      71f7832da8f4ee21dcc25685b78a58517119c394

      SHA256

      3c1fa2c7cc8b895612265cfd3cc19cd44ffd0f26cdbb6ab6cd14ec34b0b5c736

      SHA512

      2ad7c78446ec40d10b4a3a91fd3064f7092ff494d006752b911e5e79f0a5eea2849d39774bf73e2ad8ae7b1135f08f0b755d47bbb4a724b15756f4138158a337

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exe
      Filesize

      2.2MB

      MD5

      f62ec640789d407b35735aa6feb284dd

      SHA1

      f3fe86043d69df2bafb81aaab6b6d00029025972

      SHA256

      b753eec05313759cf838256915f87ea2f2b3f59e83a014daec8d4de2140cdaf0

      SHA512

      acfac7a565cd5370109f2ae123504d31f7e6f560fc5c1542f8303e8ed0a98f48c516347578678c9f0ff3768d6cbeb3892ab5a91b11c9a9c02bbe8c35e823b060

      Download Submit
    • C:\Windows\CTS.exe
      Filesize

      71KB

      MD5

      f9d4ab0a726adc9b5e4b7d7b724912f1

      SHA1

      3d42ca2098475924f70ee4a831c4f003b4682328

      SHA256

      b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

      SHA512

      22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

      Download Submit