Analysis

  • max time kernel
    134s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:49

General

  • Target

    2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe

  • Size

    71KB

  • MD5

    7f7b563cc77e13904ee0314a725cd083

  • SHA1

    08f89112dfdbdb88257d8320846d864b48e9048a

  • SHA256

    06d6584f45c5204cf03d122f344f333b8a0562872a3dc1ad9260d4595ca605c5

  • SHA512

    97728b54f71e8c419b1702e963e13de011271893d4ac1f41ec6439b71d8414019d77204cdbf9f453245bd3c8d2bd2cd79c559a8d93541d6849e9b65035f12087

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT0:ZRpAyazIliazT0

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_7f7b563cc77e13904ee0314a725cd083_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
    1⤵
      PID:3140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      392KB

      MD5

      97bfd814f0f1f26d5004e9d0ec1c1525

      SHA1

      ffdafdc6931b4793f678d2a6641f7a0bf39c147a

      SHA256

      d6f4769042940c40da5ed3fb5d943ae07c733f5594291d6a7a5f61ddd1833618

      SHA512

      85ab141eb76ee006699cd6d42db1dd809a98e80d3f6defd1c213501d2afc20114089d35cbd8a59044b0b329b7fa35e5919cc347c76317392dd2ddb21bc05ecd5

    • C:\Users\Admin\AppData\Local\Temp\6KP7BEPXN1hJuxa.exe

      Filesize

      71KB

      MD5

      eb6e6e8eede8917ac7635e58800412cc

      SHA1

      e1b940548e4b903fb466a2926c6f7691956a774a

      SHA256

      ad074e25969b956b25f1b58b7342831649bdefb48a6157609bbe8bf96668c295

      SHA512

      da3ec78b165d759b4e9d94b81e9dbefc71ce4216fe5c33fd84d8a56d48d05c3f60660b259555c90a423ac289860dd011693b3415d23735e26acb028a9fa5bc92

    • C:\Windows\CTS.exe

      Filesize

      71KB

      MD5

      f9d4ab0a726adc9b5e4b7d7b724912f1

      SHA1

      3d42ca2098475924f70ee4a831c4f003b4682328

      SHA256

      b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

      SHA512

      22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432