Overview

overview

7

Static

static

3

2024-05-03...re.exe

windows7-x64

7

2024-05-03...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2024, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-03_0899f40de23e17d03af1418b76d4f80c_bkransomware.exe

  • Size

    918KB

  • MD5

    0899f40de23e17d03af1418b76d4f80c

  • SHA1

    7245018c4a0ffeb02d0e229dbf5622cd44a54cd9

  • SHA256

    4f117c2022a64e2b28d114c36e0443a6fcee334004b85f4f870112b077368b11

  • SHA512

    5f0bebbe7fd15afb5d94452eaedf24add7bc4156c777e7d78ab7caa620c07634c612b0efb1da60c06bb07ea9d7f95ea620818bf79cb5a639d0e0c0c1dcf2f4f7

  • SSDEEP

    24576:DZNYSmSmoR+d665h7psR35EOUdltP4nLReqZpyZ9tj:DvYSmSm9dx5h7psl5ctP4LDPyfR

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-03_0899f40de23e17d03af1418b76d4f80c_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-03_0899f40de23e17d03af1418b76d4f80c_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\s2HZz7etSWWdnwQ.exe
      C:\Users\Admin\AppData\Local\Temp\s2HZz7etSWWdnwQ.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\Temp\{08EDD4C8-0DA9-4954-8D24-149942889509}\.cr\s2HZz7etSWWdnwQ.exe
        "C:\Windows\Temp\{08EDD4C8-0DA9-4954-8D24-149942889509}\.cr\s2HZz7etSWWdnwQ.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\s2HZz7etSWWdnwQ.exe" -burn.filehandle.attached=696 -burn.filehandle.self=544
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2204
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    392KB

    MD5

    90844b54990973aa01379cae6fa3a3e0

    SHA1

    0983aedc4380a7b59b38b0a378b9484b080f8644

    SHA256

    4725c09ca1b9c64cd41e4bdf55a18c2631c98440550b296a405b15c2a1603911

    SHA512

    b6f83fc0e1e153c149c46b9097544584ca3e21b5fb401f88034adf35b57ff45a112aa0b9f0f3aed39f3cd0be706e67a9eb5e1242f2a57b330221be39561fd0fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s2HZz7etSWWdnwQ.exe
    Filesize

    847KB

    MD5

    29bf0d271cc659ddd598c564e3e9adb5

    SHA1

    7f21ce21bc79ca6df7a27b0090cdb75be75302d3

    SHA256

    550962c4268923bf764797577346b6922493b925b8d17565186bf4b74295193c

    SHA512

    db2a9874aebf6ed6026ee4e8cde71d124706dc269e072d9cbdd715429e4decb84413289eed3f0fbc2ba80a2a25e4f0376dc08f30e1cd566c1974bc84a1535823

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

    Download Submit

  • C:\Windows\Temp\{4015A92B-770B-467A-BA18-89F7FFAD2405}\.ba\PythonBA.dll
    Filesize

    650KB

    MD5

    67c295f6b2a53365885879907f4aca36

    SHA1

    0c8e4f9e5af43f0f4c9f42b23c9c19a33011c29a

    SHA256

    560739d8eb7d23641260ac5950e8693d376b1714b6ae1e202e74e7e2216ff961

    SHA512

    e8eccf168976a86d5a2bd4be4bb05bd8971afa1f2b3fcd460aac7eda431da0b021b96db71be270be433aa4b2347003dc9e69c43a67c0a7422c8b9a21068a8bb9

    Download Submit

  • C:\Windows\Temp\{4015A92B-770B-467A-BA18-89F7FFAD2405}\.ba\SideBar.png
    Filesize

    50KB

    MD5

    888eb713a0095756252058c9727e088a

    SHA1

    c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

    SHA256

    79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

    SHA512

    7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

    Download Submit