Analysis

  • max time kernel
    129s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 15:25

General

  • Target

    2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe

  • Size

    74KB

  • MD5

    acedaea97b6c0879f4dbdd9d2ed0bd75

  • SHA1

    12023674604e7803918fefa2cd0f3f77d01da876

  • SHA256

    a9f7c4d2716c64b45190b04b9a36861a6122b136f973079f4d4a6d72f5761b18

  • SHA512

    f7aff79ed71e785a300f6a2045a221b4f1cc4db13b636e8fe21f4dbdb8963f312e0935013f6b0199467c4d7d065917cf60a71a84ea977080e3c29bf0c7a47cb0

  • SSDEEP

    1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTSZEar:ZhpAyazIlyazTE

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-02_acedaea97b6c0879f4dbdd9d2ed0bd75_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

          Filesize

          395KB

          MD5

          61dfdc4e999808f8e58a5b68c20f5c63

          SHA1

          5dab229d7878e2dfa43073ce61cd6c73d8250877

          SHA256

          9fb6144c404888a795685f68b3f8ceff1feccec67516e711e3590e9719c3cfd9

          SHA512

          e9a3b2525bc6a74198189d7d0ddbdb3e9dcb500623794f8af49b72bfc127b47fac8b1a89997e31e1ead3f96b30162983d3d9ccc54a1eac0ebe74fb020476fc08

        • C:\Users\Admin\AppData\Local\Temp\HDrFUcAJLyDOJpu.exe

          Filesize

          74KB

          MD5

          a8a35f0759bb26a32b8ebeaf36b7f36b

          SHA1

          0b3be30a844a009c8f4ee46470b92cc84c72452e

          SHA256

          ae1521458e125778a35f8ffd4d14a76146398cbc69ace2213e5b91e3fd600028

          SHA512

          a871170e77864119ac44681a6d3c6d31d1be55b0d99d1f5e64b0d9d4739d723744033a7d96ee5147e3d50ed1e027337fd42032d4d4df12b2ec431f5c0d767672

        • C:\Windows\CTS.exe

          Filesize

          71KB

          MD5

          66df4ffab62e674af2e75b163563fc0b

          SHA1

          dec8a197312e41eeb3cfef01cb2a443f0205cd6e

          SHA256

          075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

          SHA512

          1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25