Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
-
Size
2.2MB
-
MD5
31399e198b2142c8720172842e3af5b8
-
SHA1
84e8a94e6b4595bc72b213b0fcb28f5675186118
-
SHA256
4fd90ae17a33d64776141defd5f10af0d7a20af1ab087e179b6447120f786460
-
SHA512
99298abd14eafd1c546108976bf21276401ba37d7e95f8ba035f496b1be9104d597358ed18d0ea57bd7db392265a7ef13642c4a1b8f7264a5ceceb3ed500e337
-
SSDEEP
49152:DJKRJh28dl5VzMrSzR3zibwbCTYehyLDvarb3:DJabl5TzRjiZTci
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
UhLe81X4F6yFO1j.exeCTS.exepid process 1632 UhLe81X4F6yFO1j.exe 1696 CTS.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exepid process 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe Token: SeDebugPrivilege 1696 CTS.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exedescription pid process target process PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1632 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe UhLe81X4F6yFO1j.exe PID 2152 wrote to memory of 1696 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe PID 2152 wrote to memory of 1696 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe PID 2152 wrote to memory of 1696 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe PID 2152 wrote to memory of 1696 2152 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exeC:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exeFilesize
2.2MB
MD52454638c5a52eba50a7abcc18ae211cf
SHA142a14acafe789e346c03875eef2b04bb349b860c
SHA2565fc8fe47bc90dcf94ae82ff83330f488215cf8b1b2b90d8a235d747cc1a4d92c
SHA512cbdf1c0f40dfbd9f38b93d90dad38e1a26161aac923d76c267cd0e42910bbc21721b2dcd1bcd4faa04ef16069fe09d27eade1ecf2d6f8c27a6ac01e0b7261b05
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432
-
\Users\Admin\AppData\Local\Temp\UhLe81X4F6yFO1j.exeFilesize
2.2MB
MD520ea602903cfbe6a29f3de5195dd968d
SHA171f7832da8f4ee21dcc25685b78a58517119c394
SHA2563c1fa2c7cc8b895612265cfd3cc19cd44ffd0f26cdbb6ab6cd14ec34b0b5c736
SHA5122ad7c78446ec40d10b4a3a91fd3064f7092ff494d006752b911e5e79f0a5eea2849d39774bf73e2ad8ae7b1135f08f0b755d47bbb4a724b15756f4138158a337