1e0b4f247c0b4428f684e83578e8a38aa44db530e896246f0762fc97d4187ca0

General

Target

2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
Size

24.4MB
MD5

b4c7ff6e91155a6ac387ca7ad8146e77
SHA1

16c32bdd771e5112178eff4115cc04dd24716346
SHA256

1e0b4f247c0b4428f684e83578e8a38aa44db530e896246f0762fc97d4187ca0
SHA512

d7394c2e33201b2caec117fa41d624e2b3b6c16bf77237a619f7e928a8d8466a8f7fb64e517261f23c24ccdef8182887fcaa92af5e2ad004f597420771cc22de
SSDEEP

786432:oQKznpimIn1+FbhdTwlft+4zSnS42kwk8TEWB2:oxwmI1UbHwlU4zSdv8Vk

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

TRKm05vtg4mqovb.exeCTS.exeTRKm05vtg4mqovb.exe

pid process

3876 TRKm05vtg4mqovb.exe
4760 CTS.exe
1952 TRKm05vtg4mqovb.exe
Loads dropped DLL 1 IoCs

Processes:

TRKm05vtg4mqovb.exe

pid process

1952 TRKm05vtg4mqovb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3876	TRKm05vtg4mqovb.exe
4760	CTS.exe
1952	TRKm05vtg4mqovb.exe

pid	process
1952	TRKm05vtg4mqovb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 2 IoCs

Processes:

2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exeCTS.exe

description ioc process

File created C:\Windows\CTS.exe 2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
File created C:\Windows\CTS.exe CTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exeCTS.exe

description pid process

Token: SeDebugPrivilege 4168 2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
Token: SeDebugPrivilege 4760 CTS.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe

description	pid	process
Token: SeDebugPrivilege	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
Token: SeDebugPrivilege	4760	CTS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exeTRKm05vtg4mqovb.exe

description	pid	process	target process
PID 4168 wrote to memory of 3876	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	TRKm05vtg4mqovb.exe
PID 4168 wrote to memory of 3876	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	TRKm05vtg4mqovb.exe
PID 4168 wrote to memory of 3876	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	TRKm05vtg4mqovb.exe
PID 4168 wrote to memory of 4760	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	CTS.exe
PID 4168 wrote to memory of 4760	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	CTS.exe
PID 4168 wrote to memory of 4760	4168	2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe	CTS.exe
PID 3876 wrote to memory of 1952	3876	TRKm05vtg4mqovb.exe	TRKm05vtg4mqovb.exe
PID 3876 wrote to memory of 1952	3876	TRKm05vtg4mqovb.exe	TRKm05vtg4mqovb.exe
PID 3876 wrote to memory of 1952	3876	TRKm05vtg4mqovb.exe	TRKm05vtg4mqovb.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_b4c7ff6e91155a6ac387ca7ad8146e77_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\TRKm05vtg4mqovb.exe
C:\Users\Admin\AppData\Local\Temp\TRKm05vtg4mqovb.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\Temp\{C34CF0F4-A28A-4A32-8722-7F41971B6FBE}\.cr\TRKm05vtg4mqovb.exe
"C:\Windows\Temp\{C34CF0F4-A28A-4A32-8722-7F41971B6FBE}\.cr\TRKm05vtg4mqovb.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\TRKm05vtg4mqovb.exe" -burn.filehandle.attached=684 -burn.filehandle.self=536
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
395KB

MD5
15065f3aab5cd4f04cb0047d7f435427

SHA1
2442cea42501d2894daaeaea0037c138ea0fa446

SHA256
9a5bf29dd747656e272ade2d3aabb4f5ecf7b38996e0a92a770cc7caa0812a79

SHA512
41ab637c741f654bd7aeb9f2b948a29955eec32f483aa35b8ec80ee835f2da0826268b791dcb78919efe2088c7497aca66f47c1286b8561caeebee3e5789147f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRKm05vtg4mqovb.exe
Filesize
24.3MB

MD5
119dde89a20674349a51893114eae5ed

SHA1
4de9f6681f0f213b132def3af88a3c68483f5f32

SHA256
26c2c72fba6438f5e29af8ebc4826a1e424581b3c446f8c735361f1db7beff72

SHA512
9be541f26b5d43cee1766239d8880ab7d30d18fea2f17e28d63a498b30b7dd0918f389805398cb56b0df0df17c8633cb73f9e46672c93b21be04b85bda7a2648

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\Temp\{714A1F09-CE80-40F7-BAFB-56EC2FB6AF83}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{714A1F09-CE80-40F7-BAFB-56EC2FB6AF83}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{C34CF0F4-A28A-4A32-8722-7F41971B6FBE}\.cr\TRKm05vtg4mqovb.exe
Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads