Overview

overview

7

Static

static

3

2024-05-01...re.exe

windows7-x64

7

2024-05-01...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-01_e486cc9bd900567fc44273f7d716e9a0_bkransomware.exe

  • Size

    918KB

  • MD5

    e486cc9bd900567fc44273f7d716e9a0

  • SHA1

    7019449445b1a4484aef30704b2f846a2f0c4e01

  • SHA256

    d801b67f8b5ee1fd9a883756bf2515434880b52a6232f59c377ba88fdc42af90

  • SHA512

    ab71c32591950b8dc8ca21a3d73d36bcacd3e56622209da6d4e60d8af53f4eef8b87a7ba078072f7f62f524406e0b87145ce6903ebf106aaa51da93c129741f8

  • SSDEEP

    24576:DCinrKrk8l4PUGArGUWGifscVBcwZvXYPiJFWzbQO6XGM:DC2azkUGArqGCD3CeY/QORM

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-01_e486cc9bd900567fc44273f7d716e9a0_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-01_e486cc9bd900567fc44273f7d716e9a0_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Users\Admin\AppData\Local\Temp\9ypSmzh6x5gtgZl.exe
      C:\Users\Admin\AppData\Local\Temp\9ypSmzh6x5gtgZl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\Temp\{8564F32C-E302-4B94-B5B5-427EB2520528}\.cr\9ypSmzh6x5gtgZl.exe
        "C:\Windows\Temp\{8564F32C-E302-4B94-B5B5-427EB2520528}\.cr\9ypSmzh6x5gtgZl.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\9ypSmzh6x5gtgZl.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1452
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    394KB

    MD5

    2e345c36bd13fe4c157e7b86fe2cfd20

    SHA1

    407637ebbbe484181ac9910faa72058f7c4bedc4

    SHA256

    8efec5c142dad37ce1aea4317c86fd2c8a323ed0f880de44253868ee96f42647

    SHA512

    b9995eebeff54b5bdaa131b5b7c806084eebe1761975861e9491aecbf19bdd8d51c3b085da233cfd8b5da945c6b1533fc62d991ff6a8b4eebe2988a09f94573e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9ypSmzh6x5gtgZl.exe
    Filesize

    847KB

    MD5

    29bf0d271cc659ddd598c564e3e9adb5

    SHA1

    7f21ce21bc79ca6df7a27b0090cdb75be75302d3

    SHA256

    550962c4268923bf764797577346b6922493b925b8d17565186bf4b74295193c

    SHA512

    db2a9874aebf6ed6026ee4e8cde71d124706dc269e072d9cbdd715429e4decb84413289eed3f0fbc2ba80a2a25e4f0376dc08f30e1cd566c1974bc84a1535823

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

    Download Submit

  • C:\Windows\Temp\{805B5A4D-1640-4C6D-A7BE-43B436EB4E72}\.ba\PythonBA.dll
    Filesize

    650KB

    MD5

    67c295f6b2a53365885879907f4aca36

    SHA1

    0c8e4f9e5af43f0f4c9f42b23c9c19a33011c29a

    SHA256

    560739d8eb7d23641260ac5950e8693d376b1714b6ae1e202e74e7e2216ff961

    SHA512

    e8eccf168976a86d5a2bd4be4bb05bd8971afa1f2b3fcd460aac7eda431da0b021b96db71be270be433aa4b2347003dc9e69c43a67c0a7422c8b9a21068a8bb9

    Download Submit

  • C:\Windows\Temp\{805B5A4D-1640-4C6D-A7BE-43B436EB4E72}\.ba\SideBar.png
    Filesize

    50KB

    MD5

    888eb713a0095756252058c9727e088a

    SHA1

    c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

    SHA256

    79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

    SHA512

    7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

    Download Submit