Analysis

  • max time kernel
    134s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 11:44

Errors

Reason
Task went missing from backend

General

  • Target

    2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe

  • Size

    71KB

  • MD5

    a6c2da62e1eafd6e088d165f122f27cb

  • SHA1

    1af00e798010b9b999921c35153db81d0da023e0

  • SHA256

    06ae3631e881c3b0ca604e0aef7692206074bd1540146606632220ecdd828ab8

  • SHA512

    5a34e02921031d88e1c31eaa68032b5b968cabd04bbc2ca9fb3d78d219eb916a82bf7adf923f40927544cdcaae63fbd223db50e65e561acb048f856c59b30a75

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTo:ZRpAyazIliazTo

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-26_a6c2da62e1eafd6e088d165f122f27cb_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1276

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

          Filesize

          392KB

          MD5

          8c1054e0e8d4c93742cdcc7a7b1136b9

          SHA1

          539ee9260995b39227e4a3294d9c5bafb0825e79

          SHA256

          6800646d7835164821f1d26bc52e83e065c4d9c23189a870d8f015f7dd6138b0

          SHA512

          31a26d8e217ea2b9af402884ddd0a99755d4d423fe96bef90ce129b52ba793b1931fca46f1ea6e91b3671f4c30a2a1fff086fc2f52bd3a69ba8bb9ecd33da3f7

        • C:\Users\Admin\AppData\Local\Temp\2JqD9K0hFYEtJbV.exe

          Filesize

          71KB

          MD5

          d39473a9c09d0561291766f1ff29658a

          SHA1

          a6302bbe4e87fd1de8ba7126f75c2150872dc088

          SHA256

          e96143ceee906a8db801cceddbe658d8054848b937d99ec6de3dfb116a35fd0a

          SHA512

          e8e984c7c961a1fa3c72a27b4b4d134cfe282774cb085786f660ddcabec00b3238a2a8fba230d252fab7bacc4186aff85b3bf76609112be80339b4fdb3681f6d

        • C:\Windows\CTS.exe

          Filesize

          71KB

          MD5

          f9d4ab0a726adc9b5e4b7d7b724912f1

          SHA1

          3d42ca2098475924f70ee4a831c4f003b4682328

          SHA256

          b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

          SHA512

          22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432