449ce51e0407a5fbbdb2f12a6aaefd55c737440aaecf126d326ee6933583aca8

General

Target

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
Size

144KB
MD5

ba3458134c36049a67847db908eb51dd
SHA1

6d77fb9827c24ebabeaaf4b3ce2c4cd23bde9a4d
SHA256

449ce51e0407a5fbbdb2f12a6aaefd55c737440aaecf126d326ee6933583aca8
SHA512

590220f248b92f210ad365538e5d383385266a4c4eaf79b8172b5d7e9f8ef9a7e6e022cefcd78986a4630f6ae68444665d043bed35da148fef876dab6f4d5fe6
SSDEEP

3072:ZRpAyazIliazTfRIjdDNU+SccHq/0QiOPYI+x:xZ8azzRkfYQD4x

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

zV9hxYvzYWad51p.exeCTS.exe

pid process

1432 zV9hxYvzYWad51p.exe
3064 CTS.exe
Loads dropped DLL 3 IoCs

Processes:

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe

pid process

1704 2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
1704 2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
2980
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1432	zV9hxYvzYWad51p.exe
3064	CTS.exe

pid	process
1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
2980

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 1704 2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
Token: SeDebugPrivilege 3064 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
Token: SeDebugPrivilege	3064	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe

description	pid	process	target process
PID 1704 wrote to memory of 1432	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	zV9hxYvzYWad51p.exe
PID 1704 wrote to memory of 1432	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	zV9hxYvzYWad51p.exe
PID 1704 wrote to memory of 1432	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	zV9hxYvzYWad51p.exe
PID 1704 wrote to memory of 1432	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	zV9hxYvzYWad51p.exe
PID 1704 wrote to memory of 3064	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	CTS.exe
PID 1704 wrote to memory of 3064	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	CTS.exe
PID 1704 wrote to memory of 3064	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	CTS.exe
PID 1704 wrote to memory of 3064	1704	2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe	CTS.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_ba3458134c36049a67847db908eb51dd_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\zV9hxYvzYWad51p.exe
  C:\Users\Admin\AppData\Local\Temp\zV9hxYvzYWad51p.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zV9hxYvzYWad51p.exe

Filesize
144KB

MD5
c922ecb997ebf7428b763941bf3a20d4

SHA1
9e4229b9457a71a035bd97dfb5f7ef7f3eeab14f

SHA256
9c059dd6d5af734eece6e12ad02f65fda9681b11bdfb3175e0a626a8a5bdba15

SHA512
fd4059dbd7eb774b07d7baa4e7c047f7c1f4f8c89709be315e7ec3159cac3ed422551b311c980d980a7ad0a39464dd73a0788d3f4c6f2021b6e3766165c858bd

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit
\Users\Admin\AppData\Local\Temp\zV9hxYvzYWad51p.exe

Filesize
73KB

MD5
d2778164ef643ba8f44cc202ec7ef157

SHA1
31eee7114eed6b0d2fb77c9f3605057639050786

SHA256
28b001bb9a72ae7a24242bfab248d767a1ac5dec981c672a3944f7a072375e9a

SHA512
cb2a5a2aeba9d6f6bfc4a3a4576961244c109aafb59f02134b03ebac4d16602ee7f141cc4adc519f15030c20e7e7d6585778870706b2ea4c74c1161729101635

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads