Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe
-
Size
172KB
-
MD5
9cb1b0dd8b44241413451e83b40c3212
-
SHA1
0e8beb2869a13609d63a5477c837099203fe0add
-
SHA256
0792288d6aed4971033116d17e36eea58ed0070c131e997ce6ead89595ed7221
-
SHA512
980554acfad05980412db522c87eddd9d5e9b388defd611b191c1439e3928cf47392467e5642cbbc9d4b60682f26a8ecfc870d337d35771937d40098b453d05b
-
SSDEEP
3072:ZhpAyazIlyazTK+erII0nMsQg3otWuIKDuhxSFmZNfa:hZMazG+6IIEY9ILho3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
3eH4bynXFk9BGNR.exeCTS.exepid process 864 3eH4bynXFk9BGNR.exe 2464 CTS.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exepid process 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe 2704 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exe2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe Token: SeDebugPrivilege 2464 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exedescription pid process target process PID 2040 wrote to memory of 864 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe 3eH4bynXFk9BGNR.exe PID 2040 wrote to memory of 864 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe 3eH4bynXFk9BGNR.exe PID 2040 wrote to memory of 864 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe 3eH4bynXFk9BGNR.exe PID 2040 wrote to memory of 864 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe 3eH4bynXFk9BGNR.exe PID 2040 wrote to memory of 2464 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe CTS.exe PID 2040 wrote to memory of 2464 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe CTS.exe PID 2040 wrote to memory of 2464 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe CTS.exe PID 2040 wrote to memory of 2464 2040 2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_9cb1b0dd8b44241413451e83b40c3212_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3eH4bynXFk9BGNR.exeC:\Users\Admin\AppData\Local\Temp\3eH4bynXFk9BGNR.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3eH4bynXFk9BGNR.exeFilesize
172KB
MD5e07b6a1452ef1ed16ccb469d1e34826f
SHA1ae86a08abbf2024012c3f29fbb171c25b0f2c1d4
SHA2566adfde8a6da0c8d2388585bab1c6fd510e990e9c022d52f56a52fe74837d94c5
SHA5126b2a1cec8f952be490e67d2b81fb9f9b33411c84a8c7a2dd5d3bfd755a1b5a3bc2ac86d1f529101b898073ed7488f9b764c3c17fa61df638f1d9087173cf4ada
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\3eH4bynXFk9BGNR.exeFilesize
100KB
MD5db697c943fcb215f757f9c22c907c568
SHA1c57d891472f5ede8b1ee5d9bd6f5ad8fc8e9e5d7
SHA25607c96337729e3c4c986e8f5660a97cb475c4c04842606be2654b37892af57de9
SHA512bfa5c34d8c78015ccf96a2ef1c6d8f82157eb88680139bdbb51c55e3cd2a7c41bf364a364fd62b180b202cdf4f3d7d31c3710b8709c1d25a639bb00dfc97b646