Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe
-
Size
7.3MB
-
MD5
46a27c782b09f4a602730e8b1cad3627
-
SHA1
10b7660cccc7e4a3fe105fb9b1cad49732834a0b
-
SHA256
14791264a3918650fcb150c11e59e308dc1131eb08cbbdfcfcca49ac5657a646
-
SHA512
6502834a98d045c548e43cc30c78e4375e0aeaddd47706f172ddea4e06c6757e204500e7f992863e62036df55cb27f3427e5d66e30d7e19ce275506c7bce931a
-
SSDEEP
196608:onG45fkN4b7cqKg4LK8VJFgDx8vfFe9WI+eAMrk1h:t4RkN4bAqtGtFYx6fU9WNe1g1h
Malware Config
Signatures
-
Detects executables containing URLs to raw contents of a Github gist 2 IoCs
resource yara_rule behavioral1/files/0x00090000000122be-1.dat INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2072-17-0x0000000000210000-0x0000000000956000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Executes dropped EXE 2 IoCs
pid Process 2072 or3FvqCtFdp5bB7.exe 2908 CTS.exe -
Loads dropped DLL 2 IoCs
pid Process 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe Token: SeDebugPrivilege 2908 CTS.exe Token: SeDebugPrivilege 2072 or3FvqCtFdp5bB7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2072 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 28 PID 2900 wrote to memory of 2072 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 28 PID 2900 wrote to memory of 2072 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 28 PID 2900 wrote to memory of 2072 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 28 PID 2900 wrote to memory of 2908 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 29 PID 2900 wrote to memory of 2908 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 29 PID 2900 wrote to memory of 2908 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 29 PID 2900 wrote to memory of 2908 2900 2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-03_46a27c782b09f4a602730e8b1cad3627_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\or3FvqCtFdp5bB7.exeC:\Users\Admin\AppData\Local\Temp\or3FvqCtFdp5bB7.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
4KB
MD564db93bfd1c0bdecc50736c8cbf94071
SHA1856436a74074a7d75f31b01ec7dbf67745c880d3
SHA25600456cfbed4cca1ea5ee210287cc7cd277882b84b607f7d49d2c76083b7c2bdb
SHA51273b979292d4bb55530978859f5a838c8bda6da63699a9b0c71f42aede8a2eeaeee7949dcbaaafb36d42231df89d42087b7504bfe64d6b9b2172fe135484d9759
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
Filesize
7.3MB
MD5dd6b75a77601d62ac66df1b0a51a7de3
SHA1699fc35deccb0cd6e341420903fc993535c2c98f
SHA2562f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15
SHA51243bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86