Analysis
-
max time kernel
133s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe
-
Size
656KB
-
MD5
17d78877a0b061aee8e242903af7825e
-
SHA1
b40f5c296134a9cf00c3baab5a8afcbd84799e85
-
SHA256
701eb98eca2a5282657503f29b3285a09ca3f40fcbb878c4f2f7c5106c135cf7
-
SHA512
6dfd2cc62e2f54867f9e5078f0ab97e7d5d7da33b88f0e12674c76a0982cf846ccb9ab73993829668eadc8701694bd389421e3c29cdffeb2ff458b06c24109da
-
SSDEEP
12288:xC03+RlXPt7sMaQv/cuiW5+c2uOr0Akf00MT75TfgIvz1nHg:D3+RdIQv/jV+CA7XzgYz1Hg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tB1NUYgxjPkeRZB.exeCTS.exepid process 320 tB1NUYgxjPkeRZB.exe 1236 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exeCTS.exedescription pid process Token: SeDebugPrivilege 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe Token: SeDebugPrivilege 1236 CTS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exedescription pid process target process PID 3372 wrote to memory of 320 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe tB1NUYgxjPkeRZB.exe PID 3372 wrote to memory of 320 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe tB1NUYgxjPkeRZB.exe PID 3372 wrote to memory of 1236 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe CTS.exe PID 3372 wrote to memory of 1236 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe CTS.exe PID 3372 wrote to memory of 1236 3372 2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe CTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_17d78877a0b061aee8e242903af7825e_bkransomware.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\tB1NUYgxjPkeRZB.exeC:\Users\Admin\AppData\Local\Temp\tB1NUYgxjPkeRZB.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
392KB
MD5d57e07381501da38d3b88d929a4c3551
SHA11073ad2453e8fedc5d451761588cb86e8a0ab323
SHA2561577072c7aef3dda74f8280ab8e43797e7b5f75be4be9bb2fc467b8bdd9c5f62
SHA5126ac2edb41e89de4958963ce0005df1529d7e22fb138173ca0f7417deacbe92bc5d269377f9a23d498d48cde5aa48110b5a8e6f0da87dbc9fd43f46ebe82b42bb
-
C:\Users\Admin\AppData\Local\Temp\tB1NUYgxjPkeRZB.exeFilesize
656KB
MD59c79adb0dabc9130d5655f2d0cc90d95
SHA15aa9ce671feb1f1fe52b04638a26b98f7eeefc9b
SHA256202336ce7c09366f29207d2d0e5c2fdc016b22b3887e7ccd225632278583e318
SHA512e0efddd21286730725bd7867336978653f4dad81f69abae6e6d140076f1aef8fd95155eed70f076471b43962cc7c8f0108dfaa2c7e566d5701153ea765bd1da7
-
C:\Users\Admin\AppData\Local\Temp\tB1NUYgxjPkeRZB.exeFilesize
584KB
MD5487138792576238d76ad63497f050803
SHA148379948ed6a93c4df1116b51d33e15627d67945
SHA2563515e307cf21fe8f37112b3a6e79c3c3b50aa202cc000df4bbf3343f083a2f70
SHA512b163fd09be5db2e20ec91745fdcc1615d6c71758d1309a33d4a27c5f57c6259ff11a120d4d58e281b26e59fcf90f982d1bd91a21b5e4883dc8e9537eccc46425
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432