96e53d592f869b31e1962f4584e064adbc2dbe75ff83cac7456b574fdac1d613

General

Target

2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
Size

11.8MB
MD5

8bea5926566c99b41792e9e507fcca75
SHA1

027b49bd9c7192d86c388d81693ac7a98348a555
SHA256

96e53d592f869b31e1962f4584e064adbc2dbe75ff83cac7456b574fdac1d613
SHA512

85928a54da7b7d8640453e30cfec7cf0c11949612398ceedd263af7cb8539e79f5037207b7301dd0c5f108fe1cf0ece1050e96452affde0d9c983df56adb9339
SSDEEP

196608:hfYZ2jMVX/y31/sy19tUApOcj2pKztxktwu3a0zqpXMLcZXj33kkNfbVPPs:RwqlsylzO/pWtxk/A8oZXjUkRbW

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DPSGjIbgvUbWVEf.exeCTS.exe

pid process

4668 DPSGjIbgvUbWVEf.exe
4380 CTS.exe
Loads dropped DLL 5 IoCs

Processes:

DPSGjIbgvUbWVEf.exe

pid process

4668 DPSGjIbgvUbWVEf.exe
4668 DPSGjIbgvUbWVEf.exe
4668 DPSGjIbgvUbWVEf.exe
4668 DPSGjIbgvUbWVEf.exe
4668 DPSGjIbgvUbWVEf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4668	DPSGjIbgvUbWVEf.exe
4380	CTS.exe

pid	process
4668	DPSGjIbgvUbWVEf.exe
4668	DPSGjIbgvUbWVEf.exe
4668	DPSGjIbgvUbWVEf.exe
4668	DPSGjIbgvUbWVEf.exe
4668	DPSGjIbgvUbWVEf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DPSGjIbgvUbWVEf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\DPSGjIbgvUbWVEf.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 4656 2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
Token: SeDebugPrivilege 4380 CTS.exe

description	pid	process
Token: SeDebugPrivilege	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
Token: SeDebugPrivilege	4380	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe

description	pid	process	target process
PID 4656 wrote to memory of 4668	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	DPSGjIbgvUbWVEf.exe
PID 4656 wrote to memory of 4668	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	DPSGjIbgvUbWVEf.exe
PID 4656 wrote to memory of 4668	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	DPSGjIbgvUbWVEf.exe
PID 4656 wrote to memory of 4380	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	CTS.exe
PID 4656 wrote to memory of 4380	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	CTS.exe
PID 4656 wrote to memory of 4380	4656	2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_8bea5926566c99b41792e9e507fcca75_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\DPSGjIbgvUbWVEf.exe
C:\Users\Admin\AppData\Local\Temp\DPSGjIbgvUbWVEf.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4668

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
789KB

MD5
9c976f2b0a31f41cb47ba21b8f6a330f

SHA1
dc325fa1b41f72cbc1cc59473250427edf5f7670

SHA256
4d635bdc2e20caf68d732185c77b6ccc269d969dc2d2033542209fb114827358

SHA512
219643086d36c029b783eac2236bfdf70fb409a883bcadf825499b07123578445d9a8eaf9a60c644eac9e57c91516a0ca6a75837923a9155f3605a31d1f130b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DPSGjIbgvUbWVEf.exe
Filesize
11.7MB

MD5
d50d5712566f1df16b5aea21b9e0ee24

SHA1
f442aa68ec8d838625f382bcf273f5d0f66427ea

SHA256
e102238100a8b97d22559065e3b19379757aeda932c36916d2c84a4178921854

SHA512
f9b8d6762a8b00392519b949083d5f0a3670ed24583ed4aaa7570cbc24914e0c19933486004d8949fbee930b8f0e66b50a05e3c478c193ba269677dcd619d7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1932.tmp\InstallOptions.dll
Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1932.tmp\System.dll
Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1932.tmp\UserInfo.dll
Filesize
4KB

MD5
e840e7f30c85e22b09a41098ff3f3343

SHA1
ad1eb7b2ba66ae87641947025736c67efbc4b9d8

SHA256
6707e9e88dec460c2cf421bd2bc6a314f15717527cb60dcad2fbb7352ae711a3

SHA512
ea1362c9e7ac9666d6cbfc02939a6e9c411f6aef113dc8ec898c383fc4ecf9d957c6ad8f75c33847d5da0b4427c861f0ccaf240cb1def189313de2948881dc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1932.tmp\ioSpecial.ini
Filesize
700B

MD5
9bb2274d8487b1e3fab8f943d8cb89c3

SHA1
c48cde2c21b73bbeb2728e0c08101b8b22f4c270

SHA256
214b7a56e7eaa4ce38e4db08be1368fa87367db6b1a10fc820ecceb495e87d49

SHA512
4671d1188a5d607f23cf17174c5d081d15d3d44c37f9bb1db37990befadbc89fb9be3f5e0d4cc617cc04fe9f9cde9e891b6cfa5042149229e225375edde8bcdd

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads