Overview

overview

7

Static

static

3

2024-09-27...re.exe

windows7-x64

7

2024-09-27...re.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 17:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-27_65f3b36e805f1d21d1f706b426f7b829_bkransomware.exe

  • Size

    4.4MB

  • MD5

    65f3b36e805f1d21d1f706b426f7b829

  • SHA1

    bebe8c3af0e3673d16e4f27a906c3f67b1025bcd

  • SHA256

    0725b5ef4690ca3c8c4c40edb38876ab88b20eb524757f14e391b47d7b74eff7

  • SHA512

    2eca30cc29246e0044870b6864a1b8aa273d2bc4209e223f5a53ee120eec0f2fa41d415a5102719f9766276bfebb58583a3e91f18d9db6cce84313aacd6c6e99

  • SSDEEP

    98304:DLyy33O7gGMaaUyUAZIW4yy+7tnt4yrQV1dip:yyH6gxaaUsKj+H/rb

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-27_65f3b36e805f1d21d1f706b426f7b829_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-27_65f3b36e805f1d21d1f706b426f7b829_bkransomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\pk1bjpRY3dJL6Vy.exe
          Filesize

          4.4MB

          MD5

          c4b412828a537756a6603ceb60bc9365

          SHA1

          547fd4fae440f4a7fc2839c9fd1ba2b425efa5e7

          SHA256

          d78a68cda8bceba58c6aa58ec481bac5071f6cada52fb35548a295e5e5c2aa64

          SHA512

          a76a2c4c27b23df26ec77e6afe3f5a06e9cc8b52a3fb4d11f27b1a5787b694b027b0f0bfb155694326119d1aa84af80cd117e984b95fe13ecebf7cb6f165c86b

          Download Submit

        • C:\Windows\CTS.exe
          Filesize

          71KB

          MD5

          66df4ffab62e674af2e75b163563fc0b

          SHA1

          dec8a197312e41eeb3cfef01cb2a443f0205cd6e

          SHA256

          075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

          SHA512

          1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

          Download Submit