ef2d13b1e43fdf1acd0237e797b43a88aef668c3160e054fb92cd8ae1dfb87ab

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
Size

73KB
MD5

4bc9ffb3e40815e89c46e511821a207b
SHA1

7dba7735b3a9b3534187975c4fa9cb87d1f11412
SHA256

ef2d13b1e43fdf1acd0237e797b43a88aef668c3160e054fb92cd8ae1dfb87ab
SHA512

14ecd188c3d9d262fd04c5d18e47a40c73d7d8f96735bc1ab7da3cda0bb260924f1a0262753a214fb0532460912a96f59c1858f2bef217625bae32f035080ae2
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTWB:ZRpAyazIliazTm

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

1664 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1664	CTS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1720 2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
Token: SeDebugPrivilege 1664 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1720	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
Token: SeDebugPrivilege	1664	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe

description	pid	process	target process
PID 1720 wrote to memory of 1664	1720	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe	CTS.exe
PID 1720 wrote to memory of 1664	1720	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe	CTS.exe
PID 1720 wrote to memory of 1664	1720	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe	CTS.exe
PID 1720 wrote to memory of 1664	1720	2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_4bc9ffb3e40815e89c46e511821a207b_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cZ5Ej47JaAuEMEj.exe
Filesize
73KB

MD5
ba6c9d147c1977d28149d836fb93beaf

SHA1
5886012b118b32118661f107271aa0f1cc40b275

SHA256
43c82b39277efe186551944ae9f6efe3a4fd886c5cfddabc5c7fcb4a6eb17cff

SHA512
0930a4074260a3f0721c463f7b89c73ce37b05ce465bbcbba42bb99dfefb028dcd28a518b1a5fab4ea5ea8534739923b0856aa28f7f8b901c949b51d7385f6fe

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads