Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe
-
Size
302KB
-
MD5
9774d1051af0bec3277a17bfb4561c85
-
SHA1
3dac3741c5eb8181ed799e0dc621f95928a3e8c2
-
SHA256
b8cadf3cc959803f9e3b3493a101051c500371a00d8c116e0226bd6d072b7a4b
-
SHA512
d553157b77e84be558ad48de2ca6cf6aa15222d6550e01b5772abb682ac1143b64f974bb97938237be4793fe2ac896ed169633bcaa6a65476c93a9e8b9394706
-
SSDEEP
6144:hZMazqoZM4uelnkHv2N9LYdgf/rkgatYNFHyVlJ1ICS:hS0qoZMYnkH/6fYxOGVlfIZ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
feFeMROvfc5ki6b.exeCTS.exepid process 1764 feFeMROvfc5ki6b.exe 1736 CTS.exe -
Loads dropped DLL 1 IoCs
Processes:
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exepid process 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe Token: SeDebugPrivilege 1736 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exedescription pid process target process PID 2460 wrote to memory of 1764 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe feFeMROvfc5ki6b.exe PID 2460 wrote to memory of 1764 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe feFeMROvfc5ki6b.exe PID 2460 wrote to memory of 1764 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe feFeMROvfc5ki6b.exe PID 2460 wrote to memory of 1764 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe feFeMROvfc5ki6b.exe PID 2460 wrote to memory of 1736 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe CTS.exe PID 2460 wrote to memory of 1736 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe CTS.exe PID 2460 wrote to memory of 1736 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe CTS.exe PID 2460 wrote to memory of 1736 2460 2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_9774d1051af0bec3277a17bfb4561c85_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\feFeMROvfc5ki6b.exeC:\Users\Admin\AppData\Local\Temp\feFeMROvfc5ki6b.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\feFeMROvfc5ki6b.exeFilesize
231KB
MD5022538483dc9f54cdbdc48a16899526c
SHA19b372370c29d2cdc72328bc680633212c6aa47fb
SHA256b9d7fe7dcde0e386122ae04b0ffd3bf9dc7216b031826cfc32f7c6609e3da72d
SHA512a0979c8779da3cb76d4d490fd9675ceeb516bdc697d2c1138f7ed36197d0e71aa0b036c3460a306f386e7140d09ce5aaec82f1fbcfe3839fcda7413e3badceb5