Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe
-
Size
79.3MB
-
MD5
1b919658db32ffba06cd13ba0f230923
-
SHA1
591a32944a659b8013db49bfed0e04ac597f394f
-
SHA256
55fbe70e6b731dcbb6668beb12bbdf1026b3f61501d308bd5c6f5f47758ff993
-
SHA512
c10df8f3d9307e723a98bd8f2fdcc7ea1ef042c05412ab089e17b4a20c70309732f1f270cbf0ff1144436b0224eb25c4cd5cfd34022dae5db7baa01626791c61
-
SSDEEP
1572864:fj0sKNVvxxwV1quLKjKPQV4XA14OjY4fEeIKGvJupB8:/wVvnw6W0KPQ2utk4l+wB8
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
OA0Ot9TGr3LXzt6.exeCTS.exeOA0Ot9TGr3LXzt6.exepid process 2172 OA0Ot9TGr3LXzt6.exe 2036 CTS.exe 2544 OA0Ot9TGr3LXzt6.exe 1180 -
Loads dropped DLL 3 IoCs
Processes:
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exeOA0Ot9TGr3LXzt6.exepid process 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe 2172 OA0Ot9TGr3LXzt6.exe 1180 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Processes:
OA0Ot9TGr3LXzt6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main OA0Ot9TGr3LXzt6.exe -
Processes:
OA0Ot9TGr3LXzt6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 OA0Ot9TGr3LXzt6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde OA0Ot9TGr3LXzt6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe Token: SeDebugPrivilege 2036 CTS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OA0Ot9TGr3LXzt6.exepid process 2544 OA0Ot9TGr3LXzt6.exe 2544 OA0Ot9TGr3LXzt6.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exeOA0Ot9TGr3LXzt6.exedescription pid process target process PID 2328 wrote to memory of 2172 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe OA0Ot9TGr3LXzt6.exe PID 2328 wrote to memory of 2172 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe OA0Ot9TGr3LXzt6.exe PID 2328 wrote to memory of 2172 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe OA0Ot9TGr3LXzt6.exe PID 2328 wrote to memory of 2172 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe OA0Ot9TGr3LXzt6.exe PID 2328 wrote to memory of 2036 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe CTS.exe PID 2328 wrote to memory of 2036 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe CTS.exe PID 2328 wrote to memory of 2036 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe CTS.exe PID 2328 wrote to memory of 2036 2328 2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe CTS.exe PID 2172 wrote to memory of 2544 2172 OA0Ot9TGr3LXzt6.exe OA0Ot9TGr3LXzt6.exe PID 2172 wrote to memory of 2544 2172 OA0Ot9TGr3LXzt6.exe OA0Ot9TGr3LXzt6.exe PID 2172 wrote to memory of 2544 2172 OA0Ot9TGr3LXzt6.exe OA0Ot9TGr3LXzt6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_1b919658db32ffba06cd13ba0f230923_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OA0Ot9TGr3LXzt6.exeC:\Users\Admin\AppData\Local\Temp\OA0Ot9TGr3LXzt6.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jds259398088.tmp\OA0Ot9TGr3LXzt6.exe"C:\Users\Admin\AppData\Local\Temp\jds259398088.tmp\OA0Ot9TGr3LXzt6.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jds259398088.tmp\OA0Ot9TGr3LXzt6.exeFilesize
78.8MB
MD52e984fc82add25bab8bd9b4e2bb83d0c
SHA18319d63c6b593b667f194f2ed2c9216cccaa3ee0
SHA25625b6669a3cd944c3e80e2fe32267ade7347a44a371d964586bb18d94d2227b37
SHA512a7526f328e3ea4fb901bf1f811463283be46327332fcafa69e36236451e2b568fcf383aaf313772143a5487faed3f2e9774fdd486d312f647a4a98e16e829fc9
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
3KB
MD597b82e3de06721e1f2c5846f8369479b
SHA1a82db785ca41f8333fa3fa67f00b56b1650c7f29
SHA2565a41bf464409fb466dabaa72e6d2549b45afa20dbeda5bf16ff5b50c991d2f4e
SHA512c6ff96719f94cae1e803109702d8ab631abd5d0445db474c3c0290c6cf84bfaa7841bbf95314f40d44019e09cc89d2148cedc3f71d9f0c12fba2c6e2cb21e2f2
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
5KB
MD53148ee5135892b27c0f12c42d84a5efe
SHA1d9b66ff1b7970677f9fae09b07e726be0d087af8
SHA2563ef333725ff8f4fcc4885ef9aaf6f2127e2aeb56e93d46b1185b56a9706f5e32
SHA5127bab1e61d4e48124fd0a1cc2bb9aa31e0c0fbea76d2ef228b9165cb2077b4bf0e6f562fd725e70b141f6b773872a889ffd702256770ab2eed6dc83d25e7195da
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
\Users\Admin\AppData\Local\Temp\OA0Ot9TGr3LXzt6.exeFilesize
79.2MB
MD5608914d57c9476b6af49a545d042f4fc
SHA1a7b9709bfae02ca7ef90c08d38152c12f83e864f
SHA2563f3b8ecbb0808b15a811ca437767d09e73c04d465729fd1532e296903634461c
SHA5125e6e9132e3d768f07e3a829743c7e793a60874875458c213a8cfd535d6861927192ffe48b26f127ee4c54ec28dfaf6183ddc36421e585711dd29d9a0b8e740f4