Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 06:36

General

  • Target

    2024-05-27_aca7b8ee0d6846564ad083cd3758902a_bkransomware.exe

  • Size

    71KB

  • MD5

    aca7b8ee0d6846564ad083cd3758902a

  • SHA1

    18ad718453dc5c34e0002470084511b839a46f54

  • SHA256

    9665ffbe036b6b4d6cf6e02b38b50cb5efd4af90d56eed0c13b0ebd325f8c94f

  • SHA512

    26bae61277fd814ea17c907b49153d579856c1844593824f6303c153209c8c1ac72e75640c3a46c31d39459fb195ce872db77a3c7ab893eb0ed761bc8ce3a1d5

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTe:ZRpAyazIliazTe

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-27_aca7b8ee0d6846564ad083cd3758902a_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-27_aca7b8ee0d6846564ad083cd3758902a_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    392KB

    MD5

    f5ccf83df63d51ed13c86ce1f641e290

    SHA1

    28cbbcaaaa0deac078b5d8fb72b9e00de41508b9

    SHA256

    8409548c220a9394f7416a7688ff7e996ef1dc8642b915459feee351ec7351d8

    SHA512

    ebe9dc3e202bd56e689e24ae81d7208d9c89752c56701fdf58ea487b75f7f5d1c3796a5e5f39e16ac3b23479c0229d937dfc69a03da4813f94179956b3065b22

  • C:\Users\Admin\AppData\Local\Temp\zh55gDmDEvBBKU4.exe

    Filesize

    71KB

    MD5

    d9941a0ed9c1387b0277b45e3b782b40

    SHA1

    11cfca64e76ed375fd90de87b4b47916a7f79dd3

    SHA256

    69def515d2e78339d9080ad580dd056c7cdec5d47878429fd23243671f6940db

    SHA512

    0052317d4e746dab40559e2669e1dfe7b5aba456c5f02d056ec53547bd1fdd1bfbfcdb71dd1b2223ddb8d57a0e0ac7ff7db9731879f868b8d0a05c66b5999ef1

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432