Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe
-
Size
79.3MB
-
MD5
50f3f26946f1dd189c301f9ea45df96a
-
SHA1
21ec77de8f6bca1f4099addcf70a6855523ec45c
-
SHA256
c89059a21beae0b8bba76e91804651dc3b108061e875d14f0a145f28b742fe5f
-
SHA512
ffe9fb5ef68480d77920c0d5fb5dbf317939a13010cb8a3c356ea4dcbeb7dba626c6875ecb91db146b41dab435a0767f96ea9437c4269819b294748554a42fa6
-
SSDEEP
1572864:FJn7l/bnMgbFPlERbziF5Y9CbBddFksSjBUuX20jIZ3sM3ZekOFQGhDR/:FbnbPl6Sd7kzUuG0jIZc07OFQGhDR/
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
mpC6sHXW4h0j3Cb.exeCTS.exempC6sHXW4h0j3Cb.exepid process 2456 mpC6sHXW4h0j3Cb.exe 1296 CTS.exe 2768 mpC6sHXW4h0j3Cb.exe 1204 -
Loads dropped DLL 3 IoCs
Processes:
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exempC6sHXW4h0j3Cb.exepid process 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe 2456 mpC6sHXW4h0j3Cb.exe 1204 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Processes:
mpC6sHXW4h0j3Cb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main mpC6sHXW4h0j3Cb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe Token: SeDebugPrivilege 1296 CTS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mpC6sHXW4h0j3Cb.exepid process 2768 mpC6sHXW4h0j3Cb.exe 2768 mpC6sHXW4h0j3Cb.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exempC6sHXW4h0j3Cb.exedescription pid process target process PID 1764 wrote to memory of 2456 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe mpC6sHXW4h0j3Cb.exe PID 1764 wrote to memory of 2456 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe mpC6sHXW4h0j3Cb.exe PID 1764 wrote to memory of 2456 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe mpC6sHXW4h0j3Cb.exe PID 1764 wrote to memory of 2456 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe mpC6sHXW4h0j3Cb.exe PID 1764 wrote to memory of 1296 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe CTS.exe PID 1764 wrote to memory of 1296 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe CTS.exe PID 1764 wrote to memory of 1296 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe CTS.exe PID 1764 wrote to memory of 1296 1764 2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe CTS.exe PID 2456 wrote to memory of 2768 2456 mpC6sHXW4h0j3Cb.exe mpC6sHXW4h0j3Cb.exe PID 2456 wrote to memory of 2768 2456 mpC6sHXW4h0j3Cb.exe mpC6sHXW4h0j3Cb.exe PID 2456 wrote to memory of 2768 2456 mpC6sHXW4h0j3Cb.exe mpC6sHXW4h0j3Cb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_50f3f26946f1dd189c301f9ea45df96a_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\mpC6sHXW4h0j3Cb.exeC:\Users\Admin\AppData\Local\Temp\mpC6sHXW4h0j3Cb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\jds259401910.tmp\mpC6sHXW4h0j3Cb.exe"C:\Users\Admin\AppData\Local\Temp\jds259401910.tmp\mpC6sHXW4h0j3Cb.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jds259401910.tmp\mpC6sHXW4h0j3Cb.exeFilesize
78.8MB
MD52e984fc82add25bab8bd9b4e2bb83d0c
SHA18319d63c6b593b667f194f2ed2c9216cccaa3ee0
SHA25625b6669a3cd944c3e80e2fe32267ade7347a44a371d964586bb18d94d2227b37
SHA512a7526f328e3ea4fb901bf1f811463283be46327332fcafa69e36236451e2b568fcf383aaf313772143a5487faed3f2e9774fdd486d312f647a4a98e16e829fc9
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
1KB
MD52a1b95ca37da3341f5a4f307ec252a17
SHA1c6c3a0aea04c08a0eb1a530fdcf67e1943ec97c1
SHA256468043fc69098d56776d29ca302dc5cc330299057171ccfecfdc03f93a434cbd
SHA512531e28a97fb631d2ee0be0152f32af4eda7f9dea702fb116ddd8bc4e5b3d42fbb5e3269358d92074c9518ef7ac2a1ddc6e2fa24fd068cee57b8862618c335666
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
4KB
MD58af0d0bc6ee0b97285d03e092e9ed857
SHA1f6183514a99ac492c9d804ffcf1f66505ca613dc
SHA256e8a1061131cc4b084a53a5e383c27c6996f90a411efe3295dec7b21fc5c4c025
SHA5121fe7d89b59960833f090319d55d7e5172840224f7b6834832324ee196ebc052d793877b1c3954cddaca32f022712c75f3ab36b6cf35d98096624effd9518e9d0
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\mpC6sHXW4h0j3Cb.exeFilesize
79.2MB
MD5608914d57c9476b6af49a545d042f4fc
SHA1a7b9709bfae02ca7ef90c08d38152c12f83e864f
SHA2563f3b8ecbb0808b15a811ca437767d09e73c04d465729fd1532e296903634461c
SHA5125e6e9132e3d768f07e3a829743c7e793a60874875458c213a8cfd535d6861927192ffe48b26f127ee4c54ec28dfaf6183ddc36421e585711dd29d9a0b8e740f4