Analysis

  • max time kernel
    125s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:25

General

  • Target

    2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe

  • Size

    71KB

  • MD5

    3a5b1baa996b35b243dd161b3e4b292a

  • SHA1

    998fc1e4f533139fa5a4205305c99b58e2aaab15

  • SHA256

    b732cd56ad5917c6e082eb84073c11575c1b4db0560d5257a204112d081c7bae

  • SHA512

    6148ae456f6faa526e76ff00ff61514ee831e060890fc3a70dd59be23ddbe4f02204dc2e0cc30e2d993208e0a870b9a1431c5bc836ad30a3d0a8019d9ff1a429

  • SSDEEP

    1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTC:ZhpAyazIlyazTC

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_3a5b1baa996b35b243dd161b3e4b292a_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3184
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
    1⤵
      PID:5040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

      Filesize

      392KB

      MD5

      f65e522a3861b2fafee1fce8fbfa9189

      SHA1

      a9261c3a222863d713b4975e1599b6fdcc4dc0da

      SHA256

      8df62214fb2962d81689b72154dc7d9d6f43ed2b06755857904fed0df4c53b43

      SHA512

      1c9454140882a4eccec2bcc400b256f1e164613dbf8b4d10e413c37a30cc6a804d8bc71c1646a48a88e2605fda4315dda27f753dd7abcb31da7a0f4f27bc4fc6

    • C:\Users\Admin\AppData\Local\Temp\YU5YMXRpqiua8Dw.exe

      Filesize

      71KB

      MD5

      26ef93be0287b6a63277afb2b6bd56ac

      SHA1

      19f4997052ab68f245e31d570571ee4f00e32f65

      SHA256

      3895687c754f7b6f702128f26ca5e2e604d9ad1a3d1b18147f6b74d858fe14da

      SHA512

      1a969c92704fa26016ccb806848393720ee6cab9b67f5efac244599ada94be42e1658f2c313644f3e845e9eda040444d8dfa0925eb607b830622c352f25754e4

    • C:\Windows\CTS.exe

      Filesize

      71KB

      MD5

      66df4ffab62e674af2e75b163563fc0b

      SHA1

      dec8a197312e41eeb3cfef01cb2a443f0205cd6e

      SHA256

      075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

      SHA512

      1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25