02668fff04a066d70fbf83e5c0852bfc9a072fa97ac2d1f0c0115decc9b61421

General

Target

2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Size

395KB
MD5

60c56068a4bee7040b5a06eee6524e91
SHA1

5a1f76e9ee4300633dd642e5baf07087667d3257
SHA256

02668fff04a066d70fbf83e5c0852bfc9a072fa97ac2d1f0c0115decc9b61421
SHA512

692a57d0b12c7411ed06ade98542d80ca3e7458f59a2bc8d43a00bf85af91d5d3703c4aff014dd4abb45c08b89c61ab29085fa5daa0071e8294c9b811fe265cc
SSDEEP

6144:hZMaz25RVcAnVQJXkTx3w/UzImcFBUm2WpTNDjsNBxxGGafe:hS02XV3skNA/ajcF2mlN3sN09G

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

eTIAC92xHv2jaUF.exeCTS.exe

pid process

1820 eTIAC92xHv2jaUF.exe
3396 CTS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1820	eTIAC92xHv2jaUF.exe
3396	CTS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 2568 2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Token: SeDebugPrivilege 3396 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
Token: SeDebugPrivilege	3396	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe

description	pid	process	target process
PID 2568 wrote to memory of 1820	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	eTIAC92xHv2jaUF.exe
PID 2568 wrote to memory of 1820	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	eTIAC92xHv2jaUF.exe
PID 2568 wrote to memory of 1820	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	eTIAC92xHv2jaUF.exe
PID 2568 wrote to memory of 3396	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	CTS.exe
PID 2568 wrote to memory of 3396	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	CTS.exe
PID 2568 wrote to memory of 3396	2568	2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_60c56068a4bee7040b5a06eee6524e91_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exe
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exe
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
392KB

MD5
718fb7d8b5319003a8e391a3e483b049

SHA1
7222d9f61883c01ff86af770ff49ca54cbb16bfc

SHA256
31af6e42d00dfc31033bc2fc7843af46db7df77a305cc3a2962e34ded253f38a

SHA512
1d0065b1d30a1e52a216f5f5485cb38fd96793f66d3d22c47e3e7e7130f5351f3db36f6728185a142179d470500e9d976aa7483f6d1224589a99121b022281e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exe
Filesize
395KB

MD5
389fd9c77ddbf54ec6c09a815f8cca11

SHA1
eb4432e3bebca589516e364b0b04a879157b8d0e

SHA256
1ed05412382007d0d105d602a581d85c8987423f739c46d305398c605b69883e

SHA512
15785be98332a6570c074a74fb528e662865e1a77d4e1723cff1d0a6097ec943a76a66ac09be826209badfc8bd16dc34b5e02fb8770e70e7bec843e3c57331e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTIAC92xHv2jaUF.exe
Filesize
324KB

MD5
7187ae605f4dce14bb23ea2623956335

SHA1
f7c1df33b875c98f41dcde24117d89d42d25b7ce

SHA256
9e2631c19b243c28b0980607ced2540e9447b1166572483475547c1a9dd4ac0e

SHA512
f64522e2fb6bb61884fe53c34e79b355efb9ec33c02b2cd67d729af7d763e7b3873a5c7ce6ac7bb4567e6bcf8c70cadbc66f511e8bb151ab05096a832032bc8f

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads