Analysis

  • max time kernel
    132s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:42

General

  • Target

    2024-05-23_8711fdc59c26eac3fce8923e38ce9d18_bkransomware.exe

  • Size

    71KB

  • MD5

    8711fdc59c26eac3fce8923e38ce9d18

  • SHA1

    fceddd73c2c75773f227177db7754ea64d1a1d36

  • SHA256

    fb2f60148e7abc328515313b4eab43b841164d76212641d821a5ffc65bde0463

  • SHA512

    26146997148b4008eda6cccf0a0c43cda598c9d6fb4d46c723d87291983760f85a5fa708c019d78ffa2b8bcbd11f8aadecb7d547becfa56cde69ad285c3e4793

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTL:ZRpAyazIliazTL

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_8711fdc59c26eac3fce8923e38ce9d18_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_8711fdc59c26eac3fce8923e38ce9d18_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    394KB

    MD5

    d4d6f088fa6394471e086bfdbd9081dd

    SHA1

    24de60cb93f1ea1e78921e902430a10ebaa220fc

    SHA256

    897e630faa3a73a914805ebd9bdc5c8b36862a1b2fa1495014a5da5ea5675dea

    SHA512

    592db02259d11082fa869b63628651ce25afbada1e863afff3ae141e332c8fab129fc20edd02dbd77c13a727a5dbc50ce8826a441518a49d3900de498b25df21

  • C:\Users\Admin\AppData\Local\Temp\4Qa6hE4HnCgJaxp.exe

    Filesize

    71KB

    MD5

    1d947ed56a37a3169d8c7a7b615f3e57

    SHA1

    8617e0f23c62a8e399e86131b217bae7a494c2cd

    SHA256

    3b62e5fd12ec692a297fd136f6cdaa613385670b0f554cbd61de10e56f1daf69

    SHA512

    a40f65e533d3bcf0602baa0b4e07cb9ed5ee1b4cb035962ff9e3319b690cae428caf717b059a20dc4dab3c77293d87a9fbc1f6f51db42ba86cb4ae54c935411f

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432