Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe
-
Size
144KB
-
MD5
58c490f398b6ae5bfcc70dfc0eba73e9
-
SHA1
8f925e0fd8699a0b91079199a3d799e44f0530b5
-
SHA256
5da26b9fb6d58eaaac6595d173a79fab7d746fd23d0754abcc2d4eb31077b1df
-
SHA512
3bb57f82c64476a44f84f8340e714539625f4c0b4a8a00ddc47c2d1cf632c89513c06f465d0f540ba0571cbacfd6280f9f9c9a7fa3fdad25d04ac5bb44d310d2
-
SSDEEP
3072:ZhpAyazIlyazTN7hxBz9gypsBsim0bKZRXV:hZMazp79/nimdLl
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
5AhZm0qcD1vNNLt.exeCTS.exepid process 1460 5AhZm0qcD1vNNLt.exe 3048 CTS.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exepid process 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe Token: SeDebugPrivilege 3048 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exedescription pid process target process PID 2100 wrote to memory of 1460 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe 5AhZm0qcD1vNNLt.exe PID 2100 wrote to memory of 1460 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe 5AhZm0qcD1vNNLt.exe PID 2100 wrote to memory of 1460 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe 5AhZm0qcD1vNNLt.exe PID 2100 wrote to memory of 1460 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe 5AhZm0qcD1vNNLt.exe PID 2100 wrote to memory of 3048 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe CTS.exe PID 2100 wrote to memory of 3048 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe CTS.exe PID 2100 wrote to memory of 3048 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe CTS.exe PID 2100 wrote to memory of 3048 2100 2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_58c490f398b6ae5bfcc70dfc0eba73e9_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\5AhZm0qcD1vNNLt.exeC:\Users\Admin\AppData\Local\Temp\5AhZm0qcD1vNNLt.exe2⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\5AhZm0qcD1vNNLt.exeFilesize
73KB
MD52ffc9a24492c0a1af4d562f0c7608aa5
SHA11fd5ff6136fba36e9ee22598ecd250af3180ee53
SHA25669828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721
SHA51203806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d