Analysis
-
max time kernel
135s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe
-
Size
71KB
-
MD5
42f6b6fa9494b07851589d1cc1c3dea2
-
SHA1
2bb915d1bb87a81f2daf164b7d58ce9be554ed29
-
SHA256
cdcdc988e934b722671489420b2ea7ab82a7a4972b855716d644482336e6520a
-
SHA512
8b058e151e39541d9bba75e713ef737b4ddcc6d445a87070bdeff776092e287d18f3968ded20edea8f4c6e139f669a712c4e793ff92b6d0beafa3cd144c3fb54
-
SSDEEP
1536:Fc897UsWjcd9w+AyabjDbxE+MwmvlDuazTrhl:ZhpAyazIlyazTrhl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid process 1320 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 2980 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe Token: SeDebugPrivilege 1320 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exedescription pid process target process PID 2980 wrote to memory of 1320 2980 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe CTS.exe PID 2980 wrote to memory of 1320 2980 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe CTS.exe PID 2980 wrote to memory of 1320 2980 2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_42f6b6fa9494b07851589d1cc1c3dea2_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
394KB
MD5a02a22a0da73c4ebbc87c3a57117519f
SHA1c05694ba12e0a1bd434ab1e4011d3b65dd79c922
SHA2569336e22199044e62ca9fe577f94ad5c6fb5df68664d995096befaecfdf91f308
SHA512f3774d4285be8a28287b9811bb0acbcd3ea87e27d7d00f3ea2cd646b69b33990c6fb5d44883f0cc31f60c43ea944f1c5062fd682a6e5749b677f49fb9494e1ee
-
C:\Users\Admin\AppData\Local\Temp\m9j6zfVjseI3Dcz.exeFilesize
71KB
MD55029b14ee9c437ba62a3f4d61bb27628
SHA174c62e6156c78b8c63ec073c6aa6873b37f3ba49
SHA256f30df658cfc9e6167f4411205058eb6547049f4918b0b30d5ebb7a69d5a47421
SHA512aea5312c9ad577ddbaadcf5ad9ead2e31a84155eceb4d434cc1165fa7e454da2fc81455ff6006d56d65d59c3c323d8d96ead0311013de9ff7cbebf13c582c745
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25