Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe
-
Size
28.0MB
-
MD5
1aba131066ff905973503e4fd6333347
-
SHA1
058f54fac6d04473ed6fc4ed783027ccbe10c85b
-
SHA256
e061049e240aef4c25a5ad4039f0661448513118735e2d0a72df8744b4bd5a60
-
SHA512
da972d53f490308c9ad1b62fdbad7dcb442e5f6af2f7a54a9acfb9bf70cf962e1850ea3b32b82b50ea7f69f183a217d60082ce3d2039b81849a63f04089d84a2
-
SSDEEP
786432:2xmnyuUkOytmMZu6QfTCViw+Z1oh0DAmoXcg:smyu2oVzY1/DAmu
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
YVwD0wXKEyGl0mO.exeCTS.exeYVwD0wXKEyGl0mO.exepid process 1520 YVwD0wXKEyGl0mO.exe 3652 CTS.exe 1496 YVwD0wXKEyGl0mO.exe -
Loads dropped DLL 1 IoCs
Processes:
YVwD0wXKEyGl0mO.exepid process 1496 YVwD0wXKEyGl0mO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe Token: SeDebugPrivilege 3652 CTS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exeYVwD0wXKEyGl0mO.exedescription pid process target process PID 2104 wrote to memory of 1520 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe YVwD0wXKEyGl0mO.exe PID 2104 wrote to memory of 1520 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe YVwD0wXKEyGl0mO.exe PID 2104 wrote to memory of 1520 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe YVwD0wXKEyGl0mO.exe PID 2104 wrote to memory of 3652 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe CTS.exe PID 2104 wrote to memory of 3652 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe CTS.exe PID 2104 wrote to memory of 3652 2104 2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe CTS.exe PID 1520 wrote to memory of 1496 1520 YVwD0wXKEyGl0mO.exe YVwD0wXKEyGl0mO.exe PID 1520 wrote to memory of 1496 1520 YVwD0wXKEyGl0mO.exe YVwD0wXKEyGl0mO.exe PID 1520 wrote to memory of 1496 1520 YVwD0wXKEyGl0mO.exe YVwD0wXKEyGl0mO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_1aba131066ff905973503e4fd6333347_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exeC:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exe"C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exe" -burn.filehandle.attached=532 -burn.filehandle.self=5403⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD521859d0fe5fca8acc1c4e549c3620425
SHA1d75f4a201fbf0fbe06093d47e3dd0321ccb903d8
SHA2565e264bf8936f0c228daf3e563e27790c84a188bd36fdee1a697f8221d1a39d9e
SHA512e50fb81906cfe5ab05303d992144814e120c0bdfa60c70df2f83f4e036dd013091f5a5474151f5ea154303820df2dbc544f0b8a4934e7cfe3511cc04356d7e6b
-
C:\Users\Admin\AppData\Local\Temp\YVwD0wXKEyGl0mO.exeFilesize
27.9MB
MD5e7062b85c3624af82079794729618eca
SHA1958fe3e8415aa00b4c3350ef42716321c2fafdeb
SHA256fb3d0466f3754752ca7fd839a09ffe53375ff2c981279fd4bc23a005458f7f5d
SHA51205101359d2ec99f562ef6ec604f1c342f3e05ab88cf7ff95dfb272a861a4a7872458d6cf279dd8c2d73e247af71e8e8d80123e435ab76a6363cb28411d0f7706
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432
-
C:\Windows\Temp\{86B86C40-D82C-4DB6-9E5C-82475787919E}\.cr\YVwD0wXKEyGl0mO.exeFilesize
847KB
MD529bf0d271cc659ddd598c564e3e9adb5
SHA17f21ce21bc79ca6df7a27b0090cdb75be75302d3
SHA256550962c4268923bf764797577346b6922493b925b8d17565186bf4b74295193c
SHA512db2a9874aebf6ed6026ee4e8cde71d124706dc269e072d9cbdd715429e4decb84413289eed3f0fbc2ba80a2a25e4f0376dc08f30e1cd566c1974bc84a1535823
-
C:\Windows\Temp\{B5052B76-8136-4BBD-8E20-16860060842F}\.ba\PythonBA.dllFilesize
650KB
MD567c295f6b2a53365885879907f4aca36
SHA10c8e4f9e5af43f0f4c9f42b23c9c19a33011c29a
SHA256560739d8eb7d23641260ac5950e8693d376b1714b6ae1e202e74e7e2216ff961
SHA512e8eccf168976a86d5a2bd4be4bb05bd8971afa1f2b3fcd460aac7eda431da0b021b96db71be270be433aa4b2347003dc9e69c43a67c0a7422c8b9a21068a8bb9
-
C:\Windows\Temp\{B5052B76-8136-4BBD-8E20-16860060842F}\.ba\SideBar.pngFilesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0