Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe
-
Size
2.2MB
-
MD5
31399e198b2142c8720172842e3af5b8
-
SHA1
84e8a94e6b4595bc72b213b0fcb28f5675186118
-
SHA256
4fd90ae17a33d64776141defd5f10af0d7a20af1ab087e179b6447120f786460
-
SHA512
99298abd14eafd1c546108976bf21276401ba37d7e95f8ba035f496b1be9104d597358ed18d0ea57bd7db392265a7ef13642c4a1b8f7264a5ceceb3ed500e337
-
SSDEEP
49152:DJKRJh28dl5VzMrSzR3zibwbCTYehyLDvarb3:DJabl5TzRjiZTci
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
1tm5GMZHMBWlVce.exeCTS.exepid process 3876 1tm5GMZHMBWlVce.exe 4224 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
1tm5GMZHMBWlVce.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 1tm5GMZHMBWlVce.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 1tm5GMZHMBWlVce.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe Token: SeDebugPrivilege 4224 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exedescription pid process target process PID 3544 wrote to memory of 3876 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe 1tm5GMZHMBWlVce.exe PID 3544 wrote to memory of 3876 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe 1tm5GMZHMBWlVce.exe PID 3544 wrote to memory of 3876 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe 1tm5GMZHMBWlVce.exe PID 3544 wrote to memory of 4224 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe PID 3544 wrote to memory of 4224 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe PID 3544 wrote to memory of 4224 3544 2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_31399e198b2142c8720172842e3af5b8_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exeC:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exe2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
789KB
MD594537ab25316e39a56705c6dc0c5e6a7
SHA11e84f66771fd3a8676bb81cefcf2b915fd56db99
SHA2561273cd564cde0a22e8435d1e95fa87a4852fd70706a1d9ff951f3773a0c2c963
SHA512d2dafb163f792efd848db166bea942f7a1a62d85c94b333a396d51489d7b4caf5bbcf417c1e61707d5c7fb5bf453258305e09bd3bb6b14472dc05b39020971b8
-
C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exeFilesize
2.2MB
MD520ea602903cfbe6a29f3de5195dd968d
SHA171f7832da8f4ee21dcc25685b78a58517119c394
SHA2563c1fa2c7cc8b895612265cfd3cc19cd44ffd0f26cdbb6ab6cd14ec34b0b5c736
SHA5122ad7c78446ec40d10b4a3a91fd3064f7092ff494d006752b911e5e79f0a5eea2849d39774bf73e2ad8ae7b1135f08f0b755d47bbb4a724b15756f4138158a337
-
C:\Users\Admin\AppData\Local\Temp\1tm5GMZHMBWlVce.exeFilesize
2.2MB
MD5f62ec640789d407b35735aa6feb284dd
SHA1f3fe86043d69df2bafb81aaab6b6d00029025972
SHA256b753eec05313759cf838256915f87ea2f2b3f59e83a014daec8d4de2140cdaf0
SHA512acfac7a565cd5370109f2ae123504d31f7e6f560fc5c1542f8303e8ed0a98f48c516347578678c9f0ff3768d6cbeb3892ab5a91b11c9a9c02bbe8c35e823b060
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432