Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 14:41

General

  • Target

    2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe

  • Size

    71KB

  • MD5

    679c3344329b0d32d28bd1c392772082

  • SHA1

    e321ef63f793d6c76378c73bf9fc43a86c57fff4

  • SHA256

    cea8457cf83420c20d47290e0527895f0c572d68527ad2e0011e1e64827e40ba

  • SHA512

    ed787a9d5b152b8b29671c215b71390b004fdec74d137058410ffa4051b9a32679447b75d89bce901f0292d810cadf82d9d9f63c2f42fba3502d3709576b3acb

  • SSDEEP

    1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTo:ZhpAyazIlyazTo

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_679c3344329b0d32d28bd1c392772082_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9lX0HaFv8UEbRRg.exe

    Filesize

    71KB

    MD5

    a28180b3da6b4878cfceff21f5e1484b

    SHA1

    deb4642be300e0f665fba73c86f49f9f896deedc

    SHA256

    2d3d47edd10febb1d7df2e8b858eb59f11e9c5d30f444df64cae7f8d860d88ee

    SHA512

    0f885c1461ddf1d86037f5c2cb7be48ec9e72fce49ab1c9883e8b29dc0c7994e72e88d4f75b20a054f154fbaf1e180675e62f372b67c1f532bc7a32b12d5b5bf

  • C:\Windows\CTS.exe

    Filesize

    71KB

    MD5

    66df4ffab62e674af2e75b163563fc0b

    SHA1

    dec8a197312e41eeb3cfef01cb2a443f0205cd6e

    SHA256

    075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

    SHA512

    1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25