Analysis
-
max time kernel
55s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 10:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe
-
Size
131KB
-
MD5
fc6c4588ecc06408ab687289414bf36f
-
SHA1
1ca5c6417a53ac51185d3ba96ebe47400b12cab9
-
SHA256
af417c8f31915861bef22cda49e494868effcbe67d61db9bdef712062f4085f7
-
SHA512
24e9c7f95357d40c9be81d9ff5253e8042c79e1f96d677ff6ff5a7d79e5b77c9ad464fa199c7e5286717b64aba1ae93ad0af13a7481d6f2e3bfd53d497ff4805
-
SSDEEP
3072:ZhpAyazIlyazTPRcZ3V4o+t5q5hwXI9H9JNBZ:hZMazr8eo+tE7wXIhlX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Xxn2DiwnlpWXNix.exeCTS.exepid process 384 Xxn2DiwnlpWXNix.exe 1244 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CTS.exe2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Token: SeDebugPrivilege 1244 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exedescription pid process target process PID 880 wrote to memory of 384 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Xxn2DiwnlpWXNix.exe PID 880 wrote to memory of 384 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Xxn2DiwnlpWXNix.exe PID 880 wrote to memory of 384 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe Xxn2DiwnlpWXNix.exe PID 880 wrote to memory of 1244 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe PID 880 wrote to memory of 1244 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe PID 880 wrote to memory of 1244 880 2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_fc6c4588ecc06408ab687289414bf36f_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\Xxn2DiwnlpWXNix.exeC:\Users\Admin\AppData\Local\Temp\Xxn2DiwnlpWXNix.exe2⤵
- Executes dropped EXE
PID:384 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD57280cb47bba499ccfea3e5e8a8cf821d
SHA14f4fbf5448cdec7bbeb31860cea06bfc56a8e4f5
SHA2568a09bd1345c816fb81b25a3ba2c7fe9c579f956f25480971c618c54928abc6d8
SHA5123a9dcc94bf140e2f81ee57186874674754ae4bd2b3326873b9970554afa2517ec213ef5fd3d5754ab84fd0e2bddd1306206ccd5e46e3baa1e18a6960783ec540
-
C:\Users\Admin\AppData\Local\Temp\Xxn2DiwnlpWXNix.exeFilesize
60KB
MD5ed0fde686788caec4f2cb1ec9c31680c
SHA181ae63b87eaa9fa5637835d2122c50953ae19d34
SHA256e362670f93cdd952335b1a41e5529f184f2022ea4d41817a9781b150b062511c
SHA512d90d5e74a9be23816a93490ed30c0aae9f7f038a42bd14aa2ce78e95967b4aabd848f006f00ade619c9976755658d45aa0f5b6d5babbbb2d59a6ed3a3a12ac6b
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25