Analysis
-
max time kernel
62s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 12:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe
-
Size
71KB
-
MD5
7597858998dc4ab96df11320c5ded836
-
SHA1
11a918ebd7001713372f38cff3cd4efb3f6fc556
-
SHA256
d26c93dc23e24c91c89ad4ae89af091df37a33be8be81b4239b94847b86afeab
-
SHA512
c39c7752873cf42d011cf481d93d1fe2da12dc7b20845c3ca924647cca3e8c0485009e9c45ef2391f2c434610a76be23d21dd64c0cc6c9177ee55bb7221a6e2c
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT7:ZRpAyazIliazT7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 752 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CTS.exe2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exe2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 1512 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe Token: SeDebugPrivilege 752 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exedescription pid process target process PID 1512 wrote to memory of 752 1512 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe CTS.exe PID 1512 wrote to memory of 752 1512 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe CTS.exe PID 1512 wrote to memory of 752 1512 2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7597858998dc4ab96df11320c5ded836_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
395KB
MD58e63ac5849f69ed03a338c8702bd6c4e
SHA16bcf26d1937dc131d8ff4322695938d1b43630fc
SHA2566df1eadffd012df7f99ea855384d3bc4bbd2bf71bdcab9b68cff7d5cae88ad21
SHA512c336bcc39dfc351a38b5dd835d4c092dda886750f99537b980733eb0b5d6536a52d6ded0ff24e727523ddf34532c7bbec32cfe6b3d3f38701d806a92020e8815
-
C:\Users\Admin\AppData\Local\Temp\Az1Sx8a0GJDFjzk.exeFilesize
71KB
MD59ad4b364d281269b4c95eca6f8cd2ff9
SHA17933fd9234ec1bb39882c96654d81e26160e72d7
SHA2567fb39ddaf69fc83adf8b101c4775922859da4f745c3f48ef78a5cc97078418f7
SHA51210f8d51b4f8e5051a61a9165f3eb6bec51a52121d0ba8da387fa542ca50f4f1c6091877422912c09974899b9e2f09241060596bf919ad1f24709419cd3a3b1b8
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432