Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 10:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
-
Size
131KB
-
MD5
fc6c4588ecc06408ab687289414bf36f
-
SHA1
1ca5c6417a53ac51185d3ba96ebe47400b12cab9
-
SHA256
af417c8f31915861bef22cda49e494868effcbe67d61db9bdef712062f4085f7
-
SHA512
24e9c7f95357d40c9be81d9ff5253e8042c79e1f96d677ff6ff5a7d79e5b77c9ad464fa199c7e5286717b64aba1ae93ad0af13a7481d6f2e3bfd53d497ff4805
-
SSDEEP
3072:ZhpAyazIlyazTPRcZ3V4o+t5q5hwXI9H9JNBZ:hZMazr8eo+tE7wXIhlX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ncqsA9NwJTzzXg7.exeCTS.exepid process 2332 ncqsA9NwJTzzXg7.exe 2204 CTS.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exepid process 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exe2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Token: SeDebugPrivilege 2204 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exedescription pid process target process PID 2220 wrote to memory of 2332 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe ncqsA9NwJTzzXg7.exe PID 2220 wrote to memory of 2332 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe ncqsA9NwJTzzXg7.exe PID 2220 wrote to memory of 2332 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe ncqsA9NwJTzzXg7.exe PID 2220 wrote to memory of 2332 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe ncqsA9NwJTzzXg7.exe PID 2220 wrote to memory of 2204 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe PID 2220 wrote to memory of 2204 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe PID 2220 wrote to memory of 2204 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe PID 2220 wrote to memory of 2204 2220 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\ncqsA9NwJTzzXg7.exeC:\Users\Admin\AppData\Local\Temp\ncqsA9NwJTzzXg7.exe2⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\ncqsA9NwJTzzXg7.exeFilesize
60KB
MD5ed0fde686788caec4f2cb1ec9c31680c
SHA181ae63b87eaa9fa5637835d2122c50953ae19d34
SHA256e362670f93cdd952335b1a41e5529f184f2022ea4d41817a9781b150b062511c
SHA512d90d5e74a9be23816a93490ed30c0aae9f7f038a42bd14aa2ce78e95967b4aabd848f006f00ade619c9976755658d45aa0f5b6d5babbbb2d59a6ed3a3a12ac6b