917055fd75c7fc4a33abc43b0afeb95565346f3a4a5e252afb7b1b59584194a5

Analysis

max time kernel
137s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe
Size

332KB
MD5

0f83186126b0c0346c2a904ec04a77d5
SHA1

ba4dd6b1d3b1541bad3bda60bf059053eb688c93
SHA256

917055fd75c7fc4a33abc43b0afeb95565346f3a4a5e252afb7b1b59584194a5
SHA512

853a56855203d78fe41374a09379ce4a1d09f0bad0bfa25ad137d785f0a22e14663e2d6c8b925352f133708ea2ec5d2cf5990a5a5462e4f513d890a29639c991
SSDEEP

6144:xZ8azqsUxfpG9Fdcvs6fnWkHLvD8ueulqn3MYejyq/gpHV:xC0qjfDvvgDuUdejrg/

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1484	Q7OUAPNgcAj6LPe.exe
4524	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe
Token: SeDebugPrivilege	4524	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1484	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe	84
PID 2656 wrote to memory of 1484	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe	84
PID 2656 wrote to memory of 4524	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe	86
PID 2656 wrote to memory of 4524	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe	86
PID 2656 wrote to memory of 4524	2656	2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_0f83186126b0c0346c2a904ec04a77d5_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\Q7OUAPNgcAj6LPe.exe
  C:\Users\Admin\AppData\Local\Temp\Q7OUAPNgcAj6LPe.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
392KB

MD5
14a57f4e7db90a6a13deb4c74d8d2274

SHA1
f4a91706f3221e12520ee45680de444234f5b2ce

SHA256
48ea86135a161d8be21d59c9042afefc21f1aa9241390509ce1db0c3111b9e74

SHA512
067d92be6368f97e579f6380af9159966fb960ad3cf4c734c792d29de0b494758b1884c66c1663d948fb1822f3abee240a8a2cadabc43a5d65673da13914abf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q7OUAPNgcAj6LPe.exe

Filesize
332KB

MD5
9d8ddda8c37d4afa0bb15ea3d32d9982

SHA1
580fb297d023126e9a61dc464535a010214a23d7

SHA256
f0219860789d4823bce18849bbd0f755928aa81ea99928f68091c448e34f8b76

SHA512
3d1d07f94a356253be8f5901c1cea3faf154bc96be96478cd837acb273ab2e998bfaa50f638920725bfbf481f0e98c168b23a154de060e08e238efe336c6cc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q7OUAPNgcAj6LPe.exe

Filesize
261KB

MD5
9dce6a120d094e5c925b967c4bb36277

SHA1
1ab60840e8d8ed14619fab2d1559f989f01f01a9

SHA256
3052784f3683c2bbe95f59560eb311e75f1eac7aa5476a91bbd9fe4d2aef880a

SHA512
20a7a4b8ecb1262ed730c8299ad0ada2ad93327f0886e5fdefc89564ff7510595ec53ac5aa88747e0548315c3037125d83756e3ae4d9a813cc553c12991c94df

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads