7706de6068558218a17fcd0bc0e2ffeaa8e296addd0e84a0a17443b2ef54e199

General

Target

2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe
Size

214KB
MD5

34bb77d99bf27ec1df6314c33eb11f4f
SHA1

33c261de5014e6adc417e1043022a6a4f813c119
SHA256

7706de6068558218a17fcd0bc0e2ffeaa8e296addd0e84a0a17443b2ef54e199
SHA512

9ebca9c8392173681526de893041ba5bc6429b2ca73078d980feeeb8b3ab5c68183766075fc94b6a4bc91f04e99628af9d9b27b4c58d7fafb3cd85ac7d666c09
SSDEEP

3072:ZhpAyazIlyazTZcGbD5Hy6bs2vGfXC2CaHThk7zDOolEjSC1wBK4QqI3Hb8LN9:hZMaztcuDvg2OPLNHuHFnurQ9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3012	hH2EfiHWWcQRhSQ.exe
4784	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe
Token: SeDebugPrivilege	4784	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 3012	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe	91
PID 3604 wrote to memory of 3012	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe	91
PID 3604 wrote to memory of 4784	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe	93
PID 3604 wrote to memory of 4784	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe	93
PID 3604 wrote to memory of 4784	3604	2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe	93

C:\Users\Admin\AppData\Local\Temp\2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_34bb77d99bf27ec1df6314c33eb11f4f_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\hH2EfiHWWcQRhSQ.exe
  C:\Users\Admin\AppData\Local\Temp\hH2EfiHWWcQRhSQ.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hH2EfiHWWcQRhSQ.exe.log

Filesize
71KB

MD5
90e3e7964c7976ebbab3fb6200dd3c41

SHA1
6e2a6d701bc67c9b4bdf62668fe524782cc187f5

SHA256
4ee74b78ed15feab6ffd3636849f972081553692dbfc251042f7efaedf2db039

SHA512
ff6b83104130dfa4321ef8641b635c929b5892f097e478d758ccc031779e9597f1c1d829c835aa8e211c2cbd4078f75e4980536af787805aaf7708a43152a272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
73KB

MD5
2d9da8f76c353556bc087d114ae33489

SHA1
d7fb961124ab2de21174a30fe68a5e417fa11e1b

SHA256
934caeb3fa868cb078d3450a2b63dc429d75ea426dbea0588434beafd1d790df

SHA512
f836e7b681d53782197eeec32792646e50e6550cb27b89479b89fb2d7afe9bb8ab4698617a629c43d8151d2d1fd29bebb43e5669aef0b93b517da4f7a00b9daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hH2EfiHWWcQRhSQ.exe

Filesize
143KB

MD5
7f9f981d970cbccece6ff126ab309045

SHA1
950a14dc6b636237c2f158cce02076b1a1b371e0

SHA256
82596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf

SHA512
ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/3012-6-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/3012-9-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/3012-12-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-35-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads