Overview

overview

7

Static

static

3

2024-04-30...re.exe

windows7-x64

7

2024-04-30...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    55s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_7c30221242e28e316a6bf319d6077e93_bkransomware.exe

  • Size

    174KB

  • MD5

    7c30221242e28e316a6bf319d6077e93

  • SHA1

    6dc072baef88ddfe927ced46bfbb48d13d7e4bf6

  • SHA256

    b5dab42797ee606a56349691b2a06e3eaf9c1f5b8a28d53e001268dcbf6265a1

  • SHA512

    544670b1f053e3d8ffaa3c521e00b8286c7b2496dbeeedf9c893bc4f8ec76788a85c12691cbb7489dd8f1720ee85726d638fdc385a2f0ab8a18b30d9233cd2ea

  • SSDEEP

    3072:ZRpAyazIliazTGZ+mmg834hQbnQff09wh1r7HyywbO3NDPHnuMBbYn:xZ8azihK3FbnQnjvruXchPH3Yn

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_7c30221242e28e316a6bf319d6077e93_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_7c30221242e28e316a6bf319d6077e93_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\NrDzE9sDEFrQkZC.exe
      C:\Users\Admin\AppData\Local\Temp\NrDzE9sDEFrQkZC.exe
      2⤵
      • Executes dropped EXE
      PID:4780
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    392KB

    MD5

    8744322b9d8ca2ef712de743cac75189

    SHA1

    e954c46a17ef3be1983dc2ea61e010aa7805990f

    SHA256

    25bd217c8e3d9b9cdf61e619171b76a41e94361eb8465c35cc7b28907b399728

    SHA512

    e82df8c1f45e4f49cc7c0bdfc1005e0959879ff53e38dfc43b3bdd0b540d4e88cbb5a6889627e91b01b73650569c85ee249646fdf81f02aa45eb39a0c7f00135

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NrDzE9sDEFrQkZC.exe
    Filesize

    103KB

    MD5

    40e6081a84568a750c469df520dd0ae1

    SHA1

    fcc160e9f213a7ce674861c9f4efab2b9f0b13d5

    SHA256

    b33db48ce11539130b143caa2eec3a38c439de13a2aeffed07cb9b89bcc82fd4

    SHA512

    91feb528a2c033d0f5261a6c244b640a988d1a42caf0b8bd144a458555a1172e9ac7b23d2ff9304366559008cf3f92445ce59398a3756c0ed3ef343b824f82a2

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

    Download Submit