Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 16:45

General

  • Target

    2024-04-28_ed64d55e4658cdcd93ae9755199fbbfe_bkransomware.exe

  • Size

    71KB

  • MD5

    ed64d55e4658cdcd93ae9755199fbbfe

  • SHA1

    1560bdbc32c65f3cbb044c7b7c9eace9ebb9b942

  • SHA256

    561d4466a277ba7625b56911fe931cf391b524b9f698a3d977d72f6aa9bd4344

  • SHA512

    b196fcfded3b6a2f93f2123ccfc134cd18b9e97c7449bf01324949deb671a900844f8e811d0bfddac63d67ed91d7012af6e3fcea3c38a8b1a3da57c6c7673488

  • SSDEEP

    1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTJ:ZhpAyazIlyazTJ

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-28_ed64d55e4658cdcd93ae9755199fbbfe_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-28_ed64d55e4658cdcd93ae9755199fbbfe_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4oVKwsFrlYK7Jg5.exe
    Filesize

    71KB

    MD5

    88f7e3dd62803632fb6d396f0f9c68a9

    SHA1

    47d124924b04dd5b26c96448d5a51ea7ff71d5ea

    SHA256

    d4e34b564c0fd9d28ad77904267a7f13c88e378fd7b2353b932a5d31ad89768f

    SHA512

    94bfc14e01b72dfa1e98ee0c0650f4a3df76eb7d815ad44d5bc759e91d32b7e6f15e3e3f7c67ca18fb497ddcec59dca6d3ba574c5b756b477c6a813594cc426d

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25