e061049e240aef4c25a5ad4039f0661448513118735e2d0a72df8744b4bd5a60

General

Target

2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Size

28.0MB
MD5

1aba131066ff905973503e4fd6333347
SHA1

058f54fac6d04473ed6fc4ed783027ccbe10c85b
SHA256

e061049e240aef4c25a5ad4039f0661448513118735e2d0a72df8744b4bd5a60
SHA512

da972d53f490308c9ad1b62fdbad7dcb442e5f6af2f7a54a9acfb9bf70cf962e1850ea3b32b82b50ea7f69f183a217d60082ce3d2039b81849a63f04089d84a2
SSDEEP

786432:2xmnyuUkOytmMZu6QfTCViw+Z1oh0DAmoXcg:smyu2oVzY1/DAmu

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

YVwD0wXKEyGl0mO.exeCTS.exeYVwD0wXKEyGl0mO.exe

pid process

1520 YVwD0wXKEyGl0mO.exe
3652 CTS.exe
1496 YVwD0wXKEyGl0mO.exe
Loads dropped DLL 1 IoCs

Processes:

YVwD0wXKEyGl0mO.exe

pid process

1496 YVwD0wXKEyGl0mO.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1520	YVwD0wXKEyGl0mO.exe
3652	CTS.exe
1496	YVwD0wXKEyGl0mO.exe

pid	process
1496	YVwD0wXKEyGl0mO.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Token: SeDebugPrivilege 3652 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Token: SeDebugPrivilege	3652	CTS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeYVwD0wXKEyGl0mO.exe

description	pid	process	target process
PID 2104 wrote to memory of 1520	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	YVwD0wXKEyGl0mO.exe
PID 2104 wrote to memory of 1520	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	YVwD0wXKEyGl0mO.exe
PID 2104 wrote to memory of 1520	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	YVwD0wXKEyGl0mO.exe
PID 2104 wrote to memory of 3652	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	CTS.exe
PID 2104 wrote to memory of 3652	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	CTS.exe
PID 2104 wrote to memory of 3652	2104	2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe	CTS.exe
PID 1520 wrote to memory of 1496	1520	YVwD0wXKEyGl0mO.exe	YVwD0wXKEyGl0mO.exe
PID 1520 wrote to memory of 1496	1520	YVwD0wXKEyGl0mO.exe	YVwD0wXKEyGl0mO.exe
PID 1520 wrote to memory of 1496	1520	YVwD0wXKEyGl0mO.exe	YVwD0wXKEyGl0mO.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe
C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exe
"C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
392KB

MD5
21859d0fe5fca8acc1c4e549c3620425

SHA1
d75f4a201fbf0fbe06093d47e3dd0321ccb903d8

SHA256
5e264bf8936f0c228daf3e563e27790c84a188bd36fdee1a697f8221d1a39d9e

SHA512
e50fb81906cfe5ab05303d992144814e120c0bdfa60c70df2f83f4e036dd013091f5a5474151f5ea154303820df2dbc544f0b8a4934e7cfe3511cc04356d7e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe
Filesize
27.9MB

MD5
e7062b85c3624af82079794729618eca

SHA1
958fe3e8415aa00b4c3350ef42716321c2fafdeb

SHA256
fb3d0466f3754752ca7fd839a09ffe53375ff2c981279fd4bc23a005458f7f5d

SHA512
05101359d2ec99f562ef6ec604f1c342f3e05ab88cf7ff95dfb272a861a4a7872458d6cf279dd8c2d73e247af71e8e8d80123e435ab76a6363cb28411d0f7706

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit
C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exe
Filesize
847KB

MD5
29bf0d271cc659ddd598c564e3e9adb5

SHA1
7f21ce21bc79ca6df7a27b0090cdb75be75302d3

SHA256
550962c4268923bf764797577346b6922493b925b8d17565186bf4b74295193c

SHA512
db2a9874aebf6ed6026ee4e8cde71d124706dc269e072d9cbdd715429e4decb84413289eed3f0fbc2ba80a2a25e4f0376dc08f30e1cd566c1974bc84a1535823

Download Submit
C:\Windows\Temp\{B5052B76-8136-4BBD-8E20-16860060842F}\.ba\PythonBA.dll
Filesize
650KB

MD5
67c295f6b2a53365885879907f4aca36

SHA1
0c8e4f9e5af43f0f4c9f42b23c9c19a33011c29a

SHA256
560739d8eb7d23641260ac5950e8693d376b1714b6ae1e202e74e7e2216ff961

SHA512
e8eccf168976a86d5a2bd4be4bb05bd8971afa1f2b3fcd460aac7eda431da0b021b96db71be270be433aa4b2347003dc9e69c43a67c0a7422c8b9a21068a8bb9

Download Submit
C:\Windows\Temp\{B5052B76-8136-4BBD-8E20-16860060842F}\.ba\SideBar.png
Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads