Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 07:34

General

  • Target

    2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe

  • Size

    71KB

  • MD5

    cf39085b9da0db42e767436878da1cf6

  • SHA1

    e04ad1d12a3bd14bb1d5c9ab1bc2b751cfaad55a

  • SHA256

    04c56b9ff809aaef4afafe40c233fa1f9264b9783216e76c1311528651f706af

  • SHA512

    cbc42bba577dcf6034dce05d7c76efa1e7e0fc885f8047c1edf8e0683fd2c4b3e2fa5d266edd8ea9c2bdaeba59c0236142630ca4416037039cf9fbb9be06d972

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT8:ZRpAyazIliazT8

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-09_cf39085b9da0db42e767436878da1cf6_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    394KB

    MD5

    a2cb39f7f05c0026c5c15c557b542510

    SHA1

    0f2363a80ccaab74676b1e2a02fda906775c62ab

    SHA256

    11b0fd4c1d5914b8f8a6b89150d4c2a88290d10a592ae36cceae54038fa0fb33

    SHA512

    a19d99a48b8b11cbdb6cd4cc1a9a5435c2dd9907e124e61cc07b590c001d0d1247089fc928323d5e02ff62eb10fd06edafa99cdb624c0d6e042b252a2b33841f

  • C:\Users\Admin\AppData\Local\Temp\7DyZlddg3KulNwS.exe

    Filesize

    71KB

    MD5

    3afc8ad34d6422a1a987e76a11ba47f0

    SHA1

    1bbbe728f732da1021ee798d3a2184ca8e408f45

    SHA256

    93a5921ad895900c1fe8c386d5e4fc6cc1fcf34a0046d08c689ebcde32c854df

    SHA512

    93cc41fac320c160678656ad0a544bf1df7153fee8fc43afce64826ffe48c7141e7b4d338440fb0a527adef9855fee8308ed073d5640b51bb3b553c13094ff8d

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    f9d4ab0a726adc9b5e4b7d7b724912f1

    SHA1

    3d42ca2098475924f70ee4a831c4f003b4682328

    SHA256

    b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

    SHA512

    22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432