Overview

overview

7

Static

static

3

2024-04-28...re.exe

windows7-x64

7

2024-04-28...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-28_2810f130f7c9476332d676d4269800ca_bkransomware.exe

  • Size

    214KB

  • MD5

    2810f130f7c9476332d676d4269800ca

  • SHA1

    01b2955d41b5668c1b01ad4acd820c237e3f0ba6

  • SHA256

    ff75a73a7a841d20cc79927bde6adbcaa52a907804de14406ffba7683d20fa00

  • SHA512

    764e73aee1e595682dd3c8d1d77c0cee408235c775b9aced46e430e1575929d0a21c36a03ac13dfa86bb870588408e602f182e72f8e7a86b890613668e281e28

  • SSDEEP

    6144:xZ8azvnv4dXkMBVJYsVG/OGygj4WAW0ms:xC0fakMBVOyLEj4M0B

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-28_2810f130f7c9476332d676d4269800ca_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-28_2810f130f7c9476332d676d4269800ca_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\f2TpPZYBqDvGvK7.exe
      C:\Users\Admin\AppData\Local\Temp\f2TpPZYBqDvGvK7.exe
      2⤵
      • Executes dropped EXE
      PID:2684
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

    Download Submit

  • \Users\Admin\AppData\Local\Temp\f2TpPZYBqDvGvK7.exe
    Filesize

    143KB

    MD5

    c1d5e48111f4984433e6318466ee1bce

    SHA1

    d3379a99f504b38794f491e4fff6c77cfab53eac

    SHA256

    dfdf187874d7368a92bbebb68c8cdc5c183af47d954b5b27ddaeca6774ae4822

    SHA512

    dfce97a9dc92521c2d576b3d21071cb04df4a6d927676a2b95abc0093b67a044aab8d3f8612a4a70f9128cf2555d3a554a1c3f941647a64d30298ab28bba7441

    Download Submit

  • memory/2684-13-0x0000000000DF0000-0x0000000000E18000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2684-14-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2684-15-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

    Filesize

    9.9MB

    Download