05b9cc14544709562f1750664e41aca9e605c889626dba5f4f4d043444658763

Analysis

max time kernel
66s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
Size

71KB
MD5

0f594581f48775ebc8c44762fd84289f
SHA1

43c19c46f3af21857a93ce47893043a1d186f344
SHA256

05b9cc14544709562f1750664e41aca9e605c889626dba5f4f4d043444658763
SHA512

a0fb976087bd7a9b8efed4ce1fb34b8e853a07b27f01d7b124efc39bae8aa931eee7cfd1871b8134916fef32cc31ba237f3cf5a4a53ef93fd6d363b3d6793c94
SSDEEP

1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazTc:ZRpAyazIliazTc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CTS.exe

pid process

4452 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4452	CTS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1220 2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
Token: SeDebugPrivilege 4452 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1220	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
Token: SeDebugPrivilege	4452	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe

description	pid	process	target process
PID 1220 wrote to memory of 4452	1220	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe	CTS.exe
PID 1220 wrote to memory of 4452	1220	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe	CTS.exe
PID 1220 wrote to memory of 4452	1220	2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_0f594581f48775ebc8c44762fd84289f_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
392KB

MD5
1d2b77b8f4ffb4626c01be30f3a94497

SHA1
04741b8eb776434c83e49130e9ced0d283d6f2c7

SHA256
8bb85465dc43736ceb579f782296f1bcb028598cbfa7c49f3fb75f9960cfbdb5

SHA512
9bc94d542bec90a92ef250259546a9585a9e59d9c2c5691645f2e4ae57f38b4e45ccde8360d217d3ab9fb3b9f35ba012d5285bf4219114e2444368ceeb3e40ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\psE3AvdHMXfBlgQ.exe
Filesize
71KB

MD5
f49c850c88ebd549197d055fb10cad1a

SHA1
97f92cf9b9726d13fd6c45494b6cadc295669464

SHA256
9baebd8d28ff7ca3c99f02ab4a0e3ac1414b47e4ab108f6464898891d48e3af1

SHA512
8f174774598f6bdb46129af482c63262a04dc900f407c523a72d7af234a18116c60965ad2974a216a2d295e7c754a948f753f0ef21b11f502e2a734ac2962967

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit