4fd90ae17a33d64776141defd5f10af0d7a20af1ab087e179b6447120f786460

General

Target

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Size

2.2MB
MD5

31399e198b2142c8720172842e3af5b8
SHA1

84e8a94e6b4595bc72b213b0fcb28f5675186118
SHA256

4fd90ae17a33d64776141defd5f10af0d7a20af1ab087e179b6447120f786460
SHA512

99298abd14eafd1c546108976bf21276401ba37d7e95f8ba035f496b1be9104d597358ed18d0ea57bd7db392265a7ef13642c4a1b8f7264a5ceceb3ed500e337
SSDEEP

49152:DJKRJh28dl5VzMrSzR3zibwbCTYehyLDvarb3:DJabl5TzRjiZTci

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

UhLe81X4F6yFO1j.exeCTS.exe

pid process

1632 UhLe81X4F6yFO1j.exe
1696 CTS.exe
Loads dropped DLL 1 IoCs

Processes:

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe

pid process

2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1632	UhLe81X4F6yFO1j.exe
1696	CTS.exe

pid	process
2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Token: SeDebugPrivilege 1696 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Token: SeDebugPrivilege	1696	CTS.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe

description	pid	process	target process
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1632	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	UhLe81X4F6yFO1j.exe
PID 2152 wrote to memory of 1696	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	CTS.exe
PID 2152 wrote to memory of 1696	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	CTS.exe
PID 2152 wrote to memory of 1696	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	CTS.exe
PID 2152 wrote to memory of 1696	2152	2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exe
C:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exe
Filesize
2.2MB

MD5
2454638c5a52eba50a7abcc18ae211cf

SHA1
42a14acafe789e346c03875eef2b04bb349b860c

SHA256
5fc8fe47bc90dcf94ae82ff83330f488215cf8b1b2b90d8a235d747cc1a4d92c

SHA512
cbdf1c0f40dfbd9f38b93d90dad38e1a26161aac923d76c267cd0e42910bbc21721b2dcd1bcd4faa04ef16069fe09d27eade1ecf2d6f8c27a6ac01e0b7261b05

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit
\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exe
Filesize
2.2MB

MD5
20ea602903cfbe6a29f3de5195dd968d

SHA1
71f7832da8f4ee21dcc25685b78a58517119c394

SHA256
3c1fa2c7cc8b895612265cfd3cc19cd44ffd0f26cdbb6ab6cd14ec34b0b5c736

SHA512
2ad7c78446ec40d10b4a3a91fd3064f7092ff494d006752b911e5e79f0a5eea2849d39774bf73e2ad8ae7b1135f08f0b755d47bbb4a724b15756f4138158a337

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads