Analysis
-
max time kernel
95s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 18:04
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
-
Size
395KB
-
MD5
60c56068a4bee7040b5a06eee6524e91
-
SHA1
5a1f76e9ee4300633dd642e5baf07087667d3257
-
SHA256
02668fff04a066d70fbf83e5c0852bfc9a072fa97ac2d1f0c0115decc9b61421
-
SHA512
692a57d0b12c7411ed06ade98542d80ca3e7458f59a2bc8d43a00bf85af91d5d3703c4aff014dd4abb45c08b89c61ab29085fa5daa0071e8294c9b811fe265cc
-
SSDEEP
6144:hZMaz25RVcAnVQJXkTx3w/UzImcFBUm2WpTNDjsNBxxGGafe:hS02XV3skNA/ajcF2mlN3sN09G
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
eTIAC92xHv2jaUF.exeCTS.exepid process 1820 eTIAC92xHv2jaUF.exe 3396 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe Token: SeDebugPrivilege 3396 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exedescription pid process target process PID 2568 wrote to memory of 1820 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe eTIAC92xHv2jaUF.exe PID 2568 wrote to memory of 1820 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe eTIAC92xHv2jaUF.exe PID 2568 wrote to memory of 1820 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe eTIAC92xHv2jaUF.exe PID 2568 wrote to memory of 3396 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe CTS.exe PID 2568 wrote to memory of 3396 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe CTS.exe PID 2568 wrote to memory of 3396 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exeC:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exe2⤵
- Executes dropped EXE
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD5718fb7d8b5319003a8e391a3e483b049
SHA17222d9f61883c01ff86af770ff49ca54cbb16bfc
SHA25631af6e42d00dfc31033bc2fc7843af46db7df77a305cc3a2962e34ded253f38a
SHA5121d0065b1d30a1e52a216f5f5485cb38fd96793f66d3d22c47e3e7e7130f5351f3db36f6728185a142179d470500e9d976aa7483f6d1224589a99121b022281e8
-
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exeFilesize
395KB
MD5389fd9c77ddbf54ec6c09a815f8cca11
SHA1eb4432e3bebca589516e364b0b04a879157b8d0e
SHA2561ed05412382007d0d105d602a581d85c8987423f739c46d305398c605b69883e
SHA51215785be98332a6570c074a74fb528e662865e1a77d4e1723cff1d0a6097ec943a76a66ac09be826209badfc8bd16dc34b5e02fb8770e70e7bec843e3c57331e1
-
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exeFilesize
324KB
MD57187ae605f4dce14bb23ea2623956335
SHA1f7c1df33b875c98f41dcde24117d89d42d25b7ce
SHA2569e2631c19b243c28b0980607ced2540e9447b1166572483475547c1a9dd4ac0e
SHA512f64522e2fb6bb61884fe53c34e79b355efb9ec33c02b2cd67d729af7d763e7b3873a5c7ce6ac7bb4567e6bcf8c70cadbc66f511e8bb151ab05096a832032bc8f
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25